Menu
Home Explore People Places Arts History Plants & Animals Science Life & Culture Technology
On this page
Security descriptor
Term

Security descriptors are data structures of security information for securable Windows objects, that is objects that can be identified by a unique name. Security descriptors can be associated with any named objects, including files, folders, shares, registry keys, processes, threads, named pipes, services, job objects and other resources.

Security descriptors contain discretionary access control lists (DACLs) that contain access control entries (ACEs) that grant and deny access to trustees such as users or groups. They also contain a system access control list (SACLs) that control auditing of object access. ACEs may be explicitly applied to an object or inherited from a parent object. The order of ACEs in an ACL is important, with access denied ACEs appearing higher in the order than ACEs that grant access. Security descriptors also contain the object owner.

Mandatory Integrity Control is implemented through a new type of ACE on a security descriptor.

Files and folder permissions can be edited by various tools including Windows Explorer, WMI, command line tools like Cacls, XCacls, ICacls, SubInACL, the freeware Win32 console FILEACL, the free software utility SetACL, and other utilities. To edit a security descriptor, a user needs WRITE_DAC permissions to the object, a permission that is usually delegated by default to administrators and the object's owner.

We don't have any images related to Security descriptor yet.
We don't have any YouTube videos related to Security descriptor yet.
We don't have any PDF documents related to Security descriptor yet.
We don't have any Books related to Security descriptor yet.
We don't have any archived web articles related to Security descriptor yet.

Permissions in NTFS

The following table summarizes NTFS permissions and their roles (in individual rows.) The table exposes the following information:91011

  • Permission code: Each access control entry (ACE) specifies its permission with binary code. There are 14 codes (12 in older systems.)
  • Meaning: Each permission code has a meaning, depending on whether it is applied to a file or a folder. For example, code 0x01 on a file indicates the permission to read the file, while on a folder indicates the permission to list the content of the folder. Knowing the meaning alone, however, is useless. An ACE must also specify to whom the permission applies, and whether that permission is granted or denied.
  • Included in: In addition to individual permissions, an ACE can specify special permissions known as "generic access rights." These special permissions are equivalents of a number individual permissions. For example, GENERIC_READ (or GR) is the equivalent of "Read data", "Read attributes", "Read extended attributes", "Read permissions", and "Synchronize". Because it makes sense to ask for these five at the same time, requesting "GENERIC_READ" is more convenient.
  • Alias: The two Windows command-line utilities (icacls and cacls) have their own aliases for these permissions.
PermissioncodeMeaningIncluded inAlias
For filesFor foldersR12E13W14A15M16In icaclsIn cacls
0x01Read dataList folder contentsYesYesYesYesRDFILE_READ_DATA
0x80Read attributesYesYesYesYesRAFILE_READ_ATTRIBUTES
0x08Read extended attributesYesYesYesYesREAFILE_READ_EA
0x20Execute fileTraverse folderYesYesYesXFILE_EXECUTE
0x20000Read permissionsYesYesYesYesYesRCREAD_CONTROL
0x100000SynchronizeYesYesYesYesYesSSYNCHRONIZE
0x02Write dataCreate filesYesYesYesWDFILE_WRITE_DATA
0x04Append dataCreate foldersYesYesYesADFILE_APPEND_D
0x100Write attributesYesYesYesWAFILE_WRITE_ATTRIBUTES
0x10Write extended attributesYesYesYesWEAFILE_WRITE_EA
0x10000Delete (or rename17)YesYesDEDELETE
0x40000Change permissionsYesWDACWRITE_DAC
0x80000Take ownershipYesWOWRITE_OWNER
0x40Delete subfolders and filesYesDCFILE_DELETE_CHILD

Most of these permissions are self-explanatory, except the following:

  1. Renaming a file requires the "Delete" permission.18
  2. File Explorer doesn't show "Synchronize" and always sets it. Multi-threaded apps like File Explorer and Windows Command Prompt need the "Synchronize" permission to be able to work with files and folders.19

Footnotes

See also

References

  1. "Securable Objects". Microsoft. 2008-04-24. Retrieved 2008-07-16. https://msdn.microsoft.com/en-us/library/aa379557(VS.85).aspx

  2. "What Are Security Descriptors and Access Control Lists?". Microsoft. Archived from the original on 2008-05-05. Retrieved 2008-07-16. https://web.archive.org/web/20080505125439/http://technet2.microsoft.com/windowsserver/en/library/d4f08d96-f360-451f-bed3-61a60bc2acde1033.mspx?mfr=true

  3. "DACLs and ACEs". Microsoft. 2008-04-24. Retrieved 2008-07-16. https://msdn.microsoft.com/en-us/library/aa446597(VS.85).aspx

  4. https://msdn.microsoft.com/en-us/library/bb625957.aspx What is the Windows Integrity Mechanism? https://msdn.microsoft.com/en-us/library/bb625957.aspx

  5. SubInACL home page http://www.microsoft.com/downloadS/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en

  6. FILEACL home page Archived 2012-08-29 at the Wayback Machine http://www.gbordier.com/gbtools/fileacl.asp

  7. "FILEACL v3.0.1.6". Microsoft. 2004-03-23. Archived from the original on April 16, 2008. Retrieved 2008-07-25. https://web.archive.org/web/20080416053942/http://www.microsoft.com/downloads/details.aspx?FamilyID=723F64EA-34F0-4E6D-9A72-004D35DE4E64&displaylang=en

  8. "ACCESS_MASK Data Type". Microsoft. 2008-04-24. Retrieved 2008-07-23. https://msdn.microsoft.com/en-us/library/aa374892(VS.85).aspx

  9. "How Permissions Work". Microsoft. 2013-06-21. Retrieved 2017-11-24. https://technet.microsoft.com/en-us/library/cc783530(v=ws.10).aspx

  10. Richard Civil (8 September 2016). "How IT works NTFS Permissions, Part 2". Microsoft. Retrieved 2017-11-24. https://technet.microsoft.com/en-us/library/2006.01.howitworksntfs.aspx

  11. Richard Civil (30 August 2016). "How IT works NTFS Permissions". Microsoft. Retrieved 2017-11-24. https://technet.microsoft.com/en-us/library/2005.11.HowITWorksNTFS.aspx

  12. GENERIC_READ, known as "Read" in File Explorer /wiki/File_Explorer

  13. GENERIC_EXECUTE, known as "Read & Execute" in File Explorer /wiki/File_Explorer

  14. GENERIC_WRITE, known as "Write" in File Explorer /wiki/File_Explorer

  15. GENERIC_ALL, known as "Full Control" in File Explorer /wiki/File_Explorer

  16. Known as "Modify" in File Explorer /wiki/File_Explorer

  17. Chen, Raymond (22 October 2021). "Renaming a file is a multi-step process, only one of which is changing the name of the file". The Old New Thing. Microsoft. Opening with DELETE permission grants permission to rename the file. The required permission is DELETE because the old name is being deleted. https://devblogs.microsoft.com/oldnewthing/20211022-00/?p=105822

  18. Chen, Raymond (22 October 2021). "Renaming a file is a multi-step process, only one of which is changing the name of the file". The Old New Thing. Microsoft. Opening with DELETE permission grants permission to rename the file. The required permission is DELETE because the old name is being deleted. https://devblogs.microsoft.com/oldnewthing/20211022-00/?p=105822

  19. Chen, Raymond (18 November 2019). "I set the same ACL with the GUI and with icacls, yet the results are different". The Old New Thing. Microsoft. https://devblogs.microsoft.com/oldnewthing/20191118-00/?p=103110