Security descriptor


Security descriptor

Security descriptors are data structures of security information for "securable" Windows objects, that is objects that can be identified by a unique name. Security descriptors can be associated with any named objects, including files, folders, shares, registry keys, processes, threads, named pipes, services, job objects and other resources. [cite web|url=http://msdn.microsoft.com/en-us/library/aa379557(VS.85).aspx|title=Securable Objects|publisher=Microsoft|date=2008-04-24|accessdate=2008-07-16]

Security descriptors contain Discretionary Access Control Lists (DACL's) that contain Access Control Entries (ACEs) that grant and deny access to trustees such as users or groups. They also contain a Security Access Control List (SACLs) that control auditing of object access. [cite web|url=http://technet2.microsoft.com/windowsserver/en/library/d4f08d96-f360-451f-bed3-61a60bc2acde1033.mspx?mfr=true|title=What Are Security Descriptors and Access Control Lists?|publisher=Microsoft|accessdate=2008-07-16] [cite web|url=http://msdn.microsoft.com/en-us/library/aa446597(VS.85).aspx|title=DACLs and ACEs|publisher=Microsoft|date=2008-04-24|accessdate=2008-07-16] ACE's may be explicitly applied to an object or inherited from a parent object. The order of ACE's in an ACL is important, with access denied ACEs appearing higher in the order than ACEs that grant access. Security Descriptors also contain the object owner.

Files and folder permissions can be edited by various tools including Windows Explorer, WMI, command line tools like Cacls, XCacls, ICacls, SubInACL [ [http://www.microsoft.com/downloadS/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en SubInACL home page] ] , the freeware win32 console FILEACL [ [http://www.gbordier.com/gbtools/fileacl.asp FILEACL home page] ] [cite web|url=http://www.microsoft.com/DOWNLOADS/details.aspx?FamilyID=723f64ea-34f0-4e6d-9a72-004d35de4e64&displaylang=en|title=FILEACL v3.0.1.6|publisher=Microsoft|date=2004-03-23|accessdate=2008-07-25] , the free software utility SetACL, and other freeware and shareware utilties. To edit a security descriptor, a user needs WRITE_DAC permissions to the object, [cite web|url=http://msdn.microsoft.com/en-us/library/aa374892(VS.85).aspx|title=ACCESS_MASK Data Type|publisher=Microsoft|date=2008-04-24|accessdate=2008-07-23] a permission that is usually delegated by default to administrators.

ee also

*Access control as it relates to computer security
*Audit
*Authorization
*Computer security
*Information security
*Token (Windows NT architecture)
*Windows SID

References

External links

* [http://www.ss64.com/nt/cacls.html CACLS command description on SS64.com]


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Security Descriptor Definition Language — Le SDDL (Security Descriptor Definition Language [1]) est un langage de description propre au monde Windows, destiné à permettre l échange de descripteurs de sécurité entre plusieurs machines sans imposer impérativement un contexte identique… …   Wikipédia en Français

  • Security Identifier — Ein Security Identifier, kurz SID, ist ein Sicherheits Identifikator, den Microsoft Windows NT automatisch vergibt, um jedes System, jeden Benutzer und jede Gruppe dauerhaft zu identifizieren. Inhaltsverzeichnis 1 Zweck 2 Vergabe 3 Aufbau 4 …   Deutsch Wikipedia

  • Security Patterns — Design pattern (computer science) can be applied to achieve goals in the area of security. Every classical design pattern has different instantiations to fulfill some of the Information security goals as confidentiality, integrity or availability …   Wikipedia

  • Capability-based security — is a concept in the design of secure computing systems. A capability (known in some systems as a key) is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights …   Wikipedia

  • Deployment Descriptor — A deployment descriptor (DD) refers to a configuration file for an artifact that is deployed to some container/engine. In the Java Platform, Enterprise Edition, a deployment descriptor describes how a component, module or application (such as a… …   Wikipedia

  • Ring (computer security) — In computer science, hierarchical protection domains, [Paul A. Karger, Andrew J. Herbert, [http://doi.ieeecomputersociety.org/10.1109/SP.1984.10001 An Augmented Capability Architecture to Support Lattice Security and Traceability of Access] , sp …   Wikipedia

  • C-list (computer security) — In capability based computer security, a C list is an array of capabilities, usually associated with a process and maintained by the kernel. The program running in the process does not manipulate capabilities directly, but refers to them via C… …   Wikipedia

  • SDDL — Security Descriptor Definition Language (Computing » Drivers) …   Abbreviations dictionary

  • NTFS — Developer Microsoft Full name New Technology File System[1] Introduced July 1993 (Windows NT 3.1) Partition identifier 0x07 (MBR) EBD0A0A2 B9E5 4433 87C0 68B6 …   Wikipedia

  • Access token — In Microsoft Windows operating systems, an access token contains the security information for a login session and identifies the user, the user s groups, and the user s privileges. OverviewAn access token is as an object encapsulating the… …   Wikipedia


Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.