- Security descriptor
Security descriptors are data structures of security information for "securable" Windows objects, that is objects that can be identified by a unique name. Security descriptors can be associated with any named objects, including files, folders, shares, registry keys, processes, threads, named pipes, services, job objects and other resources. [cite web|url=http://msdn.microsoft.com/en-us/library/aa379557(VS.85).aspx|title=Securable Objects|publisher=
Microsoft |date=2008-04-24|accessdate=2008-07-16]Security descriptors contain Discretionary
Access Control List s (DACL's) that contain Access Control Entries (ACEs) that grant and deny access to trustees such as users or groups. They also contain a Security Access Control List (SACLs) that control auditing of object access. [cite web|url=http://technet2.microsoft.com/windowsserver/en/library/d4f08d96-f360-451f-bed3-61a60bc2acde1033.mspx?mfr=true|title=What Are Security Descriptors and Access Control Lists?|publisher=Microsoft |accessdate=2008-07-16] [cite web|url=http://msdn.microsoft.com/en-us/library/aa446597(VS.85).aspx|title=DACLs and ACEs|publisher=Microsoft |date=2008-04-24|accessdate=2008-07-16] ACE's may be explicitly applied to an object or inherited from a parent object. The order of ACE's in an ACL is important, with access denied ACEs appearing higher in the order than ACEs that grant access. Security Descriptors also contain the object owner.Files and folder permissions can be edited by various tools including
Windows Explorer , WMI, command line tools likeCacls , XCacls, ICacls, SubInACL [ [http://www.microsoft.com/downloadS/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en SubInACL home page] ] , thefreeware win32 console FILEACL [ [http://www.gbordier.com/gbtools/fileacl.asp FILEACL home page] ] [cite web|url=http://www.microsoft.com/DOWNLOADS/details.aspx?FamilyID=723f64ea-34f0-4e6d-9a72-004d35de4e64&displaylang=en|title=FILEACL v3.0.1.6|publisher=Microsoft |date=2004-03-23|accessdate=2008-07-25] , thefree software utilitySetACL , and otherfreeware andshareware utilties. To edit a security descriptor, a user needs WRITE_DAC permissions to the object, [cite web|url=http://msdn.microsoft.com/en-us/library/aa374892(VS.85).aspx|title=ACCESS_MASK Data Type|publisher=Microsoft |date=2008-04-24|accessdate=2008-07-23] a permission that is usually delegated by default to administrators.ee also
*Access control as it relates to computer security
*Audit
*Authorization
*Computer security
*Information security
*Token (Windows NT architecture)
*Windows SID References
External links
* [http://www.ss64.com/nt/cacls.html CACLS command description on SS64.com]
Wikimedia Foundation. 2010.