Security descriptor
Encyclopedia
Security descriptors are data structures of security information for securable Windows
Windows NT
Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement...

 objects
Object Manager (Windows)
Object Manager is a subsystem implemented as part of the Windows Executive which manages Windows resources. Each resource, which are surfaced as logical objects, resides in a namespace for categorization. Resources can be physical devices, files or folders on volumes, Registry entries or even...

, that is objects that can be identified by a unique name. Security descriptors can be associated with any named objects, including files
Computer file
A computer file is a block of arbitrary information, or resource for storing information, which is available to a computer program and is usually based on some kind of durable storage. A file is durable in the sense that it remains available for programs to use after the current program has finished...

, folders
Directory (file systems)
In computing, a folder, directory, catalog, or drawer, is a virtual container originally derived from an earlier Object-oriented programming concept by the same name within a digital file system, in which groups of computer files and other folders can be kept and organized.A typical file system may...

, shares, registry
Windows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...

 keys, processes, threads, named pipes, services, job objects and other resources.

Security descriptors contain discretionary access control list
Access control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...

s (DACL's) that contain access control entries (ACEs) that grant and deny access to trustees such as users or groups. They also contain a system access control list (SACLs) that control auditing of object access. ACEs may be explicitly applied to an object or inherited from a parent object. The order of ACEs in an ACL is important, with access denied ACEs appearing higher in the order than ACEs that grant access. Security descriptors also contain the object owner.

Files and folder permissions can be edited by various tools including Windows Explorer
Windows Explorer
This article is about the Windows file system browser. For the similarly named web browser, see Internet ExplorerWindows Explorer is a file manager application that is included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface...

, WMI
Windows Management Instrumentation
Windows Management Instrumentation is a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification...

, command line tools like Cacls
Cacls
cacls and icacls are Microsoft Windows native command line utilities capable of displaying and modifying the access control lists on folders and files...

, XCacls, ICacls, SubInACL, the freeware
Freeware
Freeware is computer software that is available for use at no cost or for an optional fee, but usually with one or more restricted usage rights. Freeware is in contrast to commercial software, which is typically sold for profit, but might be distributed for a business or commercial purpose in the...

 win32 console
Win32 console
Win32 console is a text user interface implementation within the system of Windows API, which runs console applications. A Win32 console has a screen buffer and an input buffer, and is available both as a window or in text mode screen, with switching back and forth available via Alt-Enter...

 FILEACL, the free software
Free software
Free software, software libre or libre software is software that can be used, studied, and modified without restriction, and which can be copied and redistributed in modified or unmodified form either without restriction, or with restrictions that only ensure that further recipients can also do...

 utility
Utility software
Utility software is system software designed to help analyze, configure, optimize or maintain a computer. A single piece of utility software is usually called a utility or tool....

 SetACL
SetACL
SetACL is a free software utility for manipulating security descriptors on Microsoft Windows. It is available under the GNU Lesser General Public License as a command line utility and as an ActiveX component.-Features:...

, and other freeware
Freeware
Freeware is computer software that is available for use at no cost or for an optional fee, but usually with one or more restricted usage rights. Freeware is in contrast to commercial software, which is typically sold for profit, but might be distributed for a business or commercial purpose in the...

 and shareware
Shareware
The term shareware is a proprietary software that is provided to users without payment on a trial basis and is often limited by any combination of functionality, availability, or convenience. Shareware is often offered as a download from an Internet website or as a compact disc included with a...

 utilities. To edit a security descriptor, a user needs WRITE_DAC permissions to the object, a permission that is usually delegated by default to administrators
System administrator
A system administrator, IT systems administrator, systems administrator, or sysadmin is a person employed to maintain and operate a computer system and/or network...

 and the object's owner.

See also

  • Access control as it relates to computer security
  • Audit
  • Authorization
    Authorization
    Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy...

  • Computer security
    Computer security
    Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...

  • Information security
    Information security
    Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....

  • Token (Windows NT architecture)
  • Windows SID

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK