Security Descriptors

This topic provides an overview of security descriptors in Windows, which are fundamental data structures for controlling access to securable objects.

What is a Security Descriptor?

A security descriptor is a data structure that defines the security properties of an object. It contains the object's security identity and controls which users and groups can access the object and what operations they are allowed to perform. Objects that can have security descriptors include files, directories, processes, threads, registry keys, and more. They are crucial for implementing the Windows security model.

Components of a Security Descriptor

A security descriptor is composed of several components, each playing a vital role in defining and managing object security:

• Security Identifier (SID) of the owner: Identifies the user or group that owns the object. The owner typically has the authority to change the object's permissions.
• Primary Group SID: Identifies the primary group for the object. This is primarily used on POSIX-compliant systems.
• Discretionary Access Control List (DACL): This is the most significant component for controlling access. It specifies which users and groups are granted or denied access to the object and what types of access they have.
• System Access Control List (SACL): Controls auditing. It specifies which access attempts (successful or failed) on the object should be logged by the system's audit service.
• Security Descriptor Control: A bitmask that provides information about the properties of the security descriptor and its components.
• Owner SID: Identifies the security principal that owns the object.

Access Control Lists (ACLs)

An ACL is a list of Access Control Entries (ACEs). Each ACE specifies the identity of a user or group and the permissions granted or denied to that identity.

• DACL: If a DACL is present, it dictates who can access the object. If no DACL is present, access is unrestricted. When a process attempts to access an object, the system checks the object's DACL.
• SACL: The SACL defines the auditing policies for the object. When auditing is enabled, the system logs events based on the SACL's specifications.

Security Identifiers (SIDs)

A Security Identifier (SID) is a unique, variable-length structure that identifies a security principal or security group. SIDs are used throughout the Windows operating system to identify users, groups, and security principals. They are fundamental to the access control mechanism.

Managing Security Descriptors

Security descriptors can be manipulated programmatically using Windows API functions. This allows developers to create, read, modify, and delete security information for objects.

Key API Functions

The following Windows API functions are commonly used when working with security descriptors:

• InitializeSecurityDescriptor: Initializes a security descriptor structure.
• SetSecurityDescriptorOwner: Sets the owner SID in a security descriptor.
• SetSecurityDescriptorDacl: Sets the DACL in a security descriptor.
• SetSecurityDescriptorSacl: Sets the SACL in a security descriptor.
• GetSecurityDescriptorOwner: Retrieves the owner SID from a security descriptor.
• GetSecurityDescriptorDacl: Retrieves the DACL from a security descriptor.
• GetSecurityDescriptorSacl: Retrieves the SACL from a security descriptor.
• ConvertStringSecurityDescriptorToSecurityDescriptor: Converts a security descriptor string into a security descriptor structure.
• ConvertSecurityDescriptorToStringSecurityDescriptor: Converts a security descriptor structure into a security descriptor string.
• SetKernelObjectSecurity: Sets the security descriptor for a kernel object.
• GetKernelObjectSecurity: Retrieves the security descriptor for a kernel object.