The Win32 Access Control List (ACL) APIs Programming







Note: Some code sample may need to be tested in the domain-based, active directory environment, private or public in order to see the 'real' output samples. Ask your lab's instructor to use the appropriate lab. This tutorial exposes some part of the Windows 'security' implementation.

What do we have in this session?

  1. Introduction

  2. Access Control

    Access Control Model

    Access Control Components

  3. Access Rights for Access-Token Objects

  4. Security Descriptors

    Securable Objects

  5. Access Control Lists (ACLs)

  6. Access Control Entries (ACEs)

    Object-specific ACEs


  7. Access Rights and Access Masks

  8. ACCESS_MASK Data Type

    Access Mask format

    Generic Access Rights

    Standard Access Rights

    SACL Access Right

    Directory Services Access Rights

    How Security Descriptors are Set on New Directory Objects

    Default Security Descriptor

  9. Security Identifiers (SID)

  10. Interaction Between Threads and Securable Objects

    DACLs and ACEs

    How DACLs Control Access to an Object

    Order of ACEs in a DACL

    ACEs to Control Access to an Object's Properties

  11. Requesting Access Rights to an Object

  12. Null DACLs and Empty DACLs

    Allowing Anonymous Access

    Security Descriptor Definition Language (SDDL)

    Security Descriptor String Format

    Security Descriptor String Examples

    String 1 example

    String 2 example

  13. The ACE Strings

  14. The ACE String Description

  15. ACE Inheritance Rules

  16. More on SID Strings

  17. More on SID Components

  18. Well-known SIDs

  19. Windows Privileges




    Running with Special Privileges

    Running with Administrator Privileges

    Asking the User for Credentials

    Acquiring user credentials

    Changing Privileges in a Token

    Enabling and Disabling Privileges

  1. Authorization Constants

  2. Privilege Constants

  3. Audit Generation

  4. SACL Access Right

    Auditing Access To Private Objects

    Low-level Access Control

    Low-level Security Descriptor Functions

    Low-level Security Descriptor Creation

    Absolute and Self-Relative Security Descriptors

    Low-level ACL and ACE Functions

  5. How Security Groups are Used in Access Control

  6. Impersonation

    Access Tokens for Impersonation

    Client Impersonation

    Impersonation Levels

    Setting the Impersonation Level

    Registry Key Security and Access Rights

  7. Creating a DACL From a Scratch Program Example

  8. Creating DACL and SACL with the Privilege Program Example

  9. Empty DACL program example: Nobody Can  Access

  10. The NULL DACL Program Example: Everyone get Full Control

  11. Modifying Existing DACLs of an Object Program Example

  12. Modifying the SACL and Privilege Program Example

  13. Another New DACL Which Does Not Inherit Program Example

  14. Enabling and Disabling Privileges Code Snippet Example

  15. Privilege and SACL Program Example

  16. Searching for a SID in an Access Token Program Example 1

  17. Searching for a SID in an Access Token Program Example 2

  18. Getting the Logon (Session) SID in C++

  19. Finding the Owner of a File Object Program Example

  20. Taking Object Ownership Program Example

  21. SID conversion: String-to-Binary-to-String Program Example

  22. Log on a user to a machine Program Example

  23. A Simple Impersonation Program Example

  24. Creating a Security Descriptor from Scratch for a New Object, a Registry key Code Example

  25. Validate User Credentials on Microsoft Operating Systems Program Example

  26. Creating A Well Known SID Program Example

  27. Retrieving current user and domain names on Windows NT, Windows 2000, or Windows XP Code Example

< Win32 Network Management APIs | Win32 Programming | Win32 Access Control List (ACL) 1 >