Access Control
This section provides information on the Windows API functions and concepts related to access control, which governs how processes and users can interact with system objects.
Overview of Access Control
Access control in Windows is a fundamental security mechanism that ensures only authorized entities can access protected resources. It operates based on security descriptors associated with securable objects and access tokens held by processes.
Key Concepts
- Access Token: A data structure that describes the security context of a process or thread. It contains the security identifiers (SIDs) of the user, group memberships, privileges, and the owner's SID.
- Security Descriptor: An object that contains the security information of a securable object. This includes the owner, a discretionary access control list (DACL), and a system access control list (SACL).
- Discretionary Access Control List (DACL): Specifies which users and groups have what types of access to an object.
- System Access Control List (SACL): Controls the auditing of access attempts to an object.
- Access Mask: A bitmask that specifies the requested access rights to an object (e.g., read, write, execute, delete).
- Access Control Entry (ACE): An entry within a DACL or SACL that grants or denies specific permissions to a SID or specifies auditing information.
Core Functions
The following are some of the most important API functions for managing and querying access control:
| Function Name | Description | Related Concepts |
|---|---|---|
| AccessCheck | Determines whether an access mask is valid for a specified security descriptor. | Security Descriptor, Access Mask |
| AdjustTokenPrivileges | Enables or disables the privileges in the specified access token. | Access Token, Privileges |
| CreateWellKnownSid | Creates a security identifier (SID) for a well-known group or account. | SID |
| DuplicateTokenEx | Creates a duplicate of an existing access token. | Access Token |
| GetEffectiveToken | Retrieves the effective token for a thread. | Access Token |
| GetSecurityDescriptorDacl | Retrieves a pointer to the DACL in a security descriptor. | Security Descriptor, DACL |
| ImpersonateLoggedOnUser | Enables a thread to impersonate a user account. | Access Token |
| OpenProcessToken | Opens the access token associated with a process. | Access Token |
| SetSecurityDescriptorDacl | Sets the DACL in a security descriptor. | Security Descriptor, DACL |
| SetTokenInformation | Sets various types of information for a specified access token. | Access Token |
Access Rights Constants
Commonly used access rights constants include:
GENERIC_READ,GENERIC_WRITE,GENERIC_EXECUTE,GENERIC_ALLREAD_CONTROL,WRITE_DAC,WRITE_OWNER,SYNCHRONIZE- Object-specific rights (e.g.,
FILE_READ_DATA,PROCESS_CREATE_THREAD)
Example: Checking Access Rights
A simplified conceptual example of checking read access to a file:
HANDLE hFile = OpenFileForRead("MyDocument.txt");
if (hFile != INVALID_HANDLE_VALUE) {
PSECURITY_DESCRIPTOR pSD = GetSecurityDescriptorOfFile(hFile);
if (pSD) {
DWORD dwDesiredAccess = GENERIC_READ;
BOOL bAccessGranted = AccessCheck(pSD, hProcessToken, dwDesiredAccess, ...); // Simplified
if (bAccessGranted) {
// Proceed with read operation
} else {
// Access denied
}
// Free pSD if allocated
}
CloseHandle(hFile);
}