Overview

A Security Descriptor (SD) is a data structure that contains the security information associated with a securable object, such as files, registry keys, or processes. It defines who can access the object and what operations they can perform.

Components

Owner

The security principal that owns the object.

Group

The primary group of the object (used mainly for POSIX compatibility).

DACL (Discretionary Access Control List)

Specifies the permissions granted to users and groups.

SACL (System Access Control List)

Specifies audit settings for the object.

SDDL Syntax

Security Descriptor Definition Language (SDDL) provides a textual representation of a security descriptor.

O:owner_sid G:group_sid D:(ace1)(ace2) S:(ace3)

ACE Format

type;flags;rights;object_guid;inherit_object_guid;account_sid

Examples

Full Control for Administrators

O:BAG:BAD:(A;;FA;;;BA)

Read-Only for Users

O:BAG:BAD:(A;;0x1200a9;;;BU)

#include <windows.h>
PSECURITY_DESCRIPTOR sd = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);
InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(sd, TRUE, NULL, FALSE);
// sd now grants full access to everyone

Win32 API Functions

• InitializeSecurityDescriptor
• SetSecurityDescriptorOwner
• SetSecurityDescriptorGroup
• SetSecurityDescriptorDacl
• SetSecurityDescriptorSacl
• ConvertStringSecurityDescriptorToSecurityDescriptor
• GetSecurityInfo
• SetSecurityInfo

References

• Microsoft Docs: Security Descriptors
• SDDL Syntax
• Petri: Understanding Security Descriptors