Security Descriptors
A security descriptor is a data structure that defines the security properties of an object. It contains the security information that protects the object from unauthorized access. In the Windows operating system, almost all securable objects, such as processes, threads, files, directories, registry keys, and named pipes, have an associated security descriptor.
Structure of a Security Descriptor
A security descriptor can contain the following components:
- Owner Security Identifier (SID): Identifies the owner of the object. The owner has certain default permissions and can modify the object's security settings.
- Group Security Identifier (SID): Identifies the primary group associated with the object. This is often used in POSIX-like environments or for backward compatibility.
- Discretionary Access Control List (DACL): A list of Access Control Entries (ACEs) that specify which users or groups have what types of access to the object. A
NULLDACL means that no access is restricted, and all users have full access. - System Access Control List (SACL): A list of ACEs that specify auditing policies for the object. When actions are performed on the object, the system checks the SACL for audit ACEs and generates audit logs if configured.
The structure is typically represented by the SECURITY_DESCRIPTOR structure in the Windows API.
typedef struct _SECURITY_DESCRIPTOR {
DWORD Revision;
DWORD Sbz1;
DWORD Control;
PSID Owner;
PSID Group;
PACL Sacl;
PACL Dacl;
} SECURITY_DESCRIPTOR, *PSECURITY_DESCRIPTOR;Security Identifier (SID)
A SID is a unique, variable-length structure that identifies a security principal (like a user or group) or security authority. It is the fundamental way Windows identifies security subjects.
Access Control Lists (ACLs)
An ACL is a collection of ACEs. There are two types of ACLs:
- DACL: Controls discretionary access to an object.
- SACL: Controls auditing of access attempts to an object.
Access Control Entries (ACEs)
Each ACE contains a SID and a set of permissions. An ACE can either grant or deny specific permissions to the SID it contains. ACEs within an ACL are processed in a specific order, with explicit deny ACEs typically taking precedence over grant ACEs.
Note: The DACL is the primary mechanism for controlling access to an object. If an object has no DACL or a NULL DACL, access is typically unrestricted (though this is rare for system objects).
Security Descriptor Control Bits
The Control member of the SECURITY_DESCRIPTOR structure contains flags that indicate the presence or absence of certain components (like SACL or owner) and other characteristics of the security descriptor. These flags are important for interpreting the descriptor correctly.
Creating and Modifying Security Descriptors
Developers can use Windows API functions such as InitializeSecurityDescriptor, SetSecurityDescriptorOwner, AddAccessAllowedAce, and SetKernelObjectSecurity to create and modify security descriptors for kernel objects.
Warning: Improperly configured security descriptors can lead to severe security vulnerabilities, allowing unauthorized access or preventing legitimate access. Always adhere to best practices and thoroughly test security configurations.
Inheritance
Security descriptors can be inherited by child objects from their parent objects. This is managed through specific flags within ACEs and the security descriptor's control bits, simplifying security management for hierarchical structures like file systems.