Windows Access Control List (ACL) 2



Access Rights for Access-Token Objects


An application cannot change the access control list of an object unless the application has the rights to do so.  These rights are controlled by a security descriptor in the access token for the object.  To get or set the security descriptor for an access token, call the GetKernelObjectSecurity() and SetKernelObjectSecurity() functions.  When you call the OpenProcessToken() or OpenThreadToken() function to get a handle to an access token, the system checks the requested access rights against the DACL in the token's security descriptor.  The following are valid access rights for access-token objects:


  1. The DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER standard access rights. Access tokens do not support the SYNCHRONIZE standard access right.
  2. The ACCESS_SYSTEM_SECURITY right to get or set the SACL in the object's security descriptor.


The specific access rights for access tokens, which are listed in the following table.





Required to change the default owner, primary group, or DACL of an access token.


Required to adjust the attributes of the groups in an access token.


Required to enable or disable the privileges in an access token.


Required to adjust the session ID of an access token. The SE_TCB_NAME privilege is required.


Required to attach a primary token to a process. The SE_ASSIGNPRIMARYTOKEN_NAME privilege is also required to accomplish this task.


Required to duplicate an access token.




Required to attach an impersonation access token to a process.


Required to query an access token.


Required to query the source of an access token.






Combines all possible access rights for a token.


Table 4




Security Descriptors


A security descriptor contains the security information associated with a securable object.  A security descriptor consists of a SECURITY_DESCRIPTOR structure and its associated security information.  A security descriptor can include the following security information:


  1. SIDs for the owner and primary group of an object.
  2. A DACL that specifies the access rights allowed or denied to particular users or groups.
  3. A SACL that specifies the types of access attempts that generate audit records for the object.
  4. A set of control bits that qualify the meaning of a security descriptor or its individual members.


The Windows API provides functions for setting and retrieving the security information in an object's security descriptor.  In addition, there are functions for creating and initializing a security descriptor for a new object. Applications working with security descriptors on Active Directory objects can use the Windows security functions or the security interfaces provided by the Active Directory Service Interfaces (ADSI).


Securable Objects


A securable object is an object that can have a security descriptor.  All named Windows objects are securable.  Some unnamed objects, such as process and thread objects, can have security descriptors too.  For most securable objects, you can specify an object's security descriptor in the function call that creates the object.  For example, you can specify a security descriptor in the CreateFile() and CreateProcess() functions.  In addition, the Windows security functions enable you to get and set the security information for securable objects created on operating systems other than Windows.  The Windows security functions also provide support for using security descriptors with private, application-defined objects.  Each type of securable object defines its own set of specific access rights and its own mapping of generic access rights.  The following table shows the functions that can be used to manipulate the security information for some common securable objects.


Securable Object type

Security Descriptor Functions

Files or directories on an NTFS file system.

GetNamedSecurityInfo(), SetNamedSecurityInfo(), GetSecurityInfo(), SetSecurityInfo()

Named pipes, Anonymous pipes.

GetSecurityInfo(), SetSecurityInfo()

Processes, Threads.

GetSecurityInfo(), SetSecurityInfo()

File-mapping objects.

GetNamedSecurityInfo(), SetNamedSecurityInfo(), GetSecurityInfo(), SetSecurityInfo()

Access tokens.

SetKernelObjectSecurity(), GetKernelObjectSecurity()

Window-management objects

(window stations and desktops).

GetSecurityInfo(), SetSecurityInfo()

Registry keys.

GetNamedSecurityInfo(), SetNamedSecurityInfo(), GetSecurityInfo(), SetSecurityInfo()

Windows services.

GetNamedSecurityInfo(), SetNamedSecurityInfo(), GetSecurityInfo(), SetSecurityInfo()

Local or remote printers.

GetNamedSecurityInfo(), SetNamedSecurityInfo(), GetSecurityInfo(), SetSecurityInfo()

Network shares.

GetNamedSecurityInfo(), SetNamedSecurityInfo(), GetSecurityInfo(), SetSecurityInfo()

Interprocess synchronization objects (events, mutexes, semaphores, and waitable timers).

GetNamedSecurityInfo(), SetNamedSecurityInfo(), GetSecurityInfo(), SetSecurityInfo()

Job objects.

GetNamedSecurityInfo(), SetNamedSecurityInfo(), GetSecurityInfo(), SetSecurityInfo()

Directory service objects.

These objects are handled by Active Directory Objects.


Table 5


The following figure shows a simple the relationship between securable object (a folder) and security descriptor.


The Windows securable objects and security descriptor





< Win32 Access Control List (ACL) 1 | Windows Access Control List (ACL) Main | Win32 Programming | Windows ACL 3 >