Windows Access Control List (ACL) 1





In this Module and that follows, we will try to learn how the security is implemented in Windows Operating Systems (OS).  Access Control is one of the important and fundamental topics in Windows SDK Platform from Security category.  We will start with the access control model used by Windows OSes and then dig deeper the details of every component in the model.  On the way we will also be introduced with functions that available for manipulation and interaction with various objects of the Windows OS in the security aspect.  The working program examples were presented starting on the third Module of this series.  The program examples used were low level programming using C (Mix of the Microsoft C and standard C), still no Graphical User Interface (GUI) here, hoping that the student will understand better and faster.  This also will provide the students with a very good practice on the aspects of how C programming is used in the specific implementation.  All the required information for learning the security aspect of the Windows OSes has been included in this compilation note, in order to focus and avoid a lot of cross references that encountered in MSDN documentation.  It is prepared by lazy teachers for Joe average and lazy students.




Access Control


It has been mentioned in MSDN documentation that at the beginning, Windows OSes followed (already) an obsolete Class C2 standard, formally known as Trusted Computer System Evaluation Criteria (TCSEC (Orange Book)) which superseded by Common Criteria and the ISO version is ISO 15408 Common Criteria for Information Technology Security Evaluation (Part 1, 2 and 3).  Access control refers to security features that control who can access which resources in the operating system.  Applications call access control functions to set who can access specific resources or control access to resources provided by the applications.


Access Control Model


The access control model enables you to control the ability of a process to access securable objects or to perform various system administration tasks.   A process is a security context under which an application runs.  Typically, the security context is associated with a user, so all applications running under a given process take on the permissions and privileges of the owning user.


Access Control Components


There are two basic components of the access control model:


  1. Access tokens, which contain information about a logged-on user.
  2. Security descriptors, which contain the security information that protects a securable object.


When a user logs on, the system authenticates the user's account name and password.  If the logon is successful, the system creates an access token.  Every process executed on behalf of this user will have a copy of this access token.  The access token contains security identifiers (SID) that identify the user's account and any group accounts to which the user belongs.  The token also contains a list of the privileges held by the user or the user's groups.  The system uses this token to identify the associated user when a process tries to access a securable object or perform a system administration task that requires privileges.

When a securable object is created, the system assigns it a security descriptor that contains security information specified by its creator, or default security information if none is specified.  Applications can use functions to retrieve and set the security information for an existing object.  A security descriptor identifies the object's owner and can also contain the following access control lists (ACLs):


  1. A discretionary access control list (DACL) that identifies the users and groups allowed or denied access to the object.
  2. A system access control list (SACL) that controls how the system audits attempts to access the object.


An ACL contains a list of access control entries (ACEs).  Each ACE specifies a set of access rights and contains a security identifier that identifies a trustee for whom the rights are allowed, denied, or audited.  A trustee can be a user account, group account, or logon session.  A logon session begins whenever a user logs on to a computer.  All processes in a logon session have the same primary access token.  The access token contains information about the security context of the logon session, including the user's SID, the logon identifier, and the logon SID.  The following illustration shows what will happen when a user log on to a system.  Keep in mind that the user is nothing because user’s credential such as his/her username and password was created in the system.  User’s credential just another Windows object.


The Windows access control model illustration


An access token is an object that describes the security context of a process or thread.  The information in a token includes the identity and privileges of the user account associated with the process or thread.  When a user logs on, the system verifies the user's password by comparing it with information stored in a security database.  If the password is authenticated, the system produces an access token.  Every process executed on behalf of this user has a copy of this access token.

The system uses an access token to identify user when a thread interacts with a securable object or tries to perform a system task that requires privileges.  Access tokens contain the following information:


  1. The SID for the user's account.
  2. SIDs for the groups of which the user is a member.
  3. A logon SID that identifies the current logon session.
  4. A list of the privileges held by either the user or the user's groups.
  5. An owner SID.
  6. The SID for the primary group.
  7. The default DACL that the system uses when the user creates a securable object without specifying a security descriptor.
  8. The source of the access token.
  9. Whether the token is a primary or impersonation token.
  10. An optional list of restricting SIDs.
  11. Current impersonation levels.
  12. Other statistics.


A primary token is an access token that is typically created only by the Windows kernel.  It may be assigned to a process to represent the default security information for that process.  The impersonation token is an access token that has been created to capture the security information of a client process, allowing a server to impersonate the client process in security operations.

Every process has a primary token that describes the security context of the user account associated with the process.  By default, the system uses the primary token when a thread of the process interacts with a securable object.  Moreover, a thread can impersonate a client account.  Impersonation allows the thread to interact with securable objects using the client's security context.  A thread that is impersonating a client has both a primary token and an impersonation token. You can use the OpenProcessToken() function to retrieve a handle to the primary token of a process.





Changes the group information in an access token.


Enables or disables the privileges in an access token. It does not grant new privileges or revoke existing ones.


Determines whether a specified SID is enabled in a specified access token.


Creates a new token that is a restricted version of an existing token. The restricted token can have disabled SIDs, deleted privileges, and a list of restricted SIDs.


Creates a new impersonation token that duplicates an existing token.


Creates a new primary token or impersonation token that duplicates an existing token.


Retrieves information about a token.


Determines whether a token has a list of restricting SIDs.


Retrieves a handle to the primary access token for a process.


Retrieves a handle to the impersonation access token for a thread.


Assigns or removes an impersonation token for a thread.


Changes a token's owner, primary group, or default DACL.


Table 1


Use the OpenThreadToken() function to retrieve a handle to the impersonation token of a thread.  You can use the following functions to manipulate access tokens.

The access token functions use the following structures to describe the components of an access token.





Information that identifies an access token.


The default DACL that the system uses in the security descriptors of new objects created by a thread.


Specifies the SIDs and attributes of the group SIDs in an access token.


The default owner SID for the security descriptors of new objects.


The default primary group SID for the security descriptors of new objects.


The privileges associated with an access token. Also determines whether the privileges are enabled.


The source of an access token.


Statistics associated with an access token.


The SID of the user associated with an access token.


Table 2


The access token functions use the following enumeration types.


Enumeration type



Identifies the type of information being set or retrieved from an access token.


Identifies an access token as a primary or impersonation token.


Table 3




< Windows Access Control List (ACL) Programming | Win32 Programming | Windows ACL 2 >