Access Control Lists (ACLs)

Access Control Lists (ACLs) are fundamental components of the Windows security model. They define the permissions granted to users and groups for specific securable objects, such as files, directories, registry keys, and processes. Each ACL is associated with an object and contains a list of Access Control Entries (ACEs).

Understanding ACLs and ACEs

An ACL is essentially a data structure that contains a list of ACEs. Each ACE specifies a security principal (like a user or group) and the type of access that principal is granted or denied to the object. There are two primary types of ACLs:

• Discretionary Access Control List (DACL): This is the most common type of ACL. It specifies which users and groups are allowed or denied access to an object. If no DACL is present, or if it's empty, access is typically unrestricted (though this is rare in practice).
• System Access Control List (SACL): This ACL is used for auditing purposes. It specifies which access attempts (successful or failed) on an object should be logged by the system's security audit log.

Access Control Entries (ACEs)

Each ACE within an ACL has the following key components:

• Access Mask: A bitmask specifying the types of access being granted or denied (e.g., read, write, execute, delete).
• ACE Type: Indicates whether the ACE grants access (Allow), denies access (Deny), or is system-auditing related.
• Inheritance Flags: Determine how the ACE is inherited by child objects.
• Trustee: Identifies the security principal (user, group, or well-known SID) to which the ACE applies.

ACL Structure in the Kernel

Internally, the Windows kernel represents ACLs using structures like ACL and ACE_HEADER. The DACL is typically associated with an object's security descriptor, which is managed by the kernel's Security Reference Monitor (SRM).

When a process attempts to access a securable object, the kernel's security subsystem walks the object's ACL. It evaluates the ACEs in a specific order:

1. All explicit Deny ACEs for the user/group are checked first. If a match is found, access is denied.
2. All explicit Allow ACEs for the user/group are checked. If a match is found, access is granted.
3. If no explicit ACE matches, the system checks for inherited ACEs from parent objects.
4. If access is still not determined, the default system policy is applied (which usually results in denial).

// Simplified representation of an ACL structure (conceptual)
typedef struct _ACL {
    USHORT AclRevision;
    USHORT AclSize;
    USHORT AceCount;
    USHORT Sbz1;
    ULONG  SaclArrayOffset; // Offset to the first ACE
    ULONG  RmDaclInfo;      // Flags related to DACL
} ACL;

// Simplified representation of an ACE Header
typedef struct _ACE_HEADER {
    UCHAR  AceType;
    UCHAR  AceFlags;
    USHORT AceSize;
} ACE_HEADER;

// Simplified representation of an ACCESS_ALLOWED_ACE
typedef struct _ACCESS_ALLOWED_ACE {
    ACE_HEADER Header;
    ACCESS_MASK AccessMask;
    ULONG SidStart; // Offset to the SID in the Trustee
    // Followed by SID and optional compound ACE data
} ACCESS_ALLOWED_ACE;
            

Object Security Descriptors

ACLs are part of a larger security construct called the Security Descriptor. A security descriptor for an object contains:

• The object's owner SID.
• The primary group SID.
• A pointer to the DACL.
• A pointer to the SACL.
• Control flags that dictate how the security descriptor is inherited and protected.

Key Concepts and Best Practices

• Least Privilege: Always grant the minimum necessary permissions required for a user or process to perform its task.
• Inheritance: Properly configure ACE inheritance to ensure consistent security policies across directory structures.
• Auditing: Utilize SACLs to monitor access patterns and detect potential security breaches.
• Well-Known SIDs: Leverage built-in SIDs like Everyone, Authenticated Users, and SYSTEM carefully.

Understanding and effectively managing ACLs is crucial for maintaining a secure and robust Windows environment. The kernel's role is to enforce these permissions rigorously and efficiently.