Desktop Security and Access Rights
Security enables you to control access to desktop objects. You can specify a security descriptor for a desktop object when you call the CreateDesktop() or CreateDesktopEx() function. If you specify NULL, the desktop gets a default security descriptor. The ACLs in the default security descriptor for a desktop come from its parent window station. To get or set the security descriptor of a window station object, call the GetSecurityInfo() and SetSecurityInfo() functions. When you call the OpenDesktop() or OpenInputDesktop() function, the system checks the requested access rights against the object's security descriptor. The valid access rights for desktop objects include the standard access rights and some object-specific access rights. The following table lists the standard access rights used by all objects.
|
String Constant (Value) |
Meaning |
|
DELETE (0x00010000L) |
Required to delete the object. |
|
READ_CONTROL (0x00020000L) |
Required to read information in the security descriptor for the object, not including the information in the SACL. To read or write the SACL, you must request the ACCESS_SYSTEM_SECURITY access right. |
|
SYNCHRONIZE (0x00100000L) |
Not supported for desktop objects. |
|
WRITE_DAC (0x00040000L) |
Required to modify the DACL in the security descriptor for the object. |
|
WRITE_OWNER (0x00080000L) |
Required to change the owner in the security descriptor for the object. |
The following table lists the object-specific access rights.
|
Access right |
Description |
|
DESKTOP_CREATEMENU (0x0004L) |
Required to create a menu on the desktop. |
|
DESKTOP_CREATEWINDOW (0x0002L) |
Required to create a window on the desktop. |
|
DESKTOP_ENUMERATE (0x0040L) |
Required for the desktop to be enumerated. |
|
DESKTOP_HOOKCONTROL (0x0008L) |
Required to establish any of the window hooks. |
|
DESKTOP_JOURNALPLAYBACK (0x0020L) |
Required to perform journal playback on a desktop. |
|
DESKTOP_JOURNALRECORD (0x0010L) |
Required to perform journal recording on a desktop. |
|
DESKTOP_READOBJECTS (0x0001L) |
Required to read objects on the desktop. |
|
DESKTOP_SWITCHDESKTOP (0x0100L) |
Required to activate the desktop using the SwitchDesktop() function. |
|
DESKTOP_WRITEOBJECTS (0x0080L) |
Required to write objects on the desktop. |
The following are the generic access rights for a desktop object contained in the interactive window station of the user's logon session.
|
Access right |
Description |
|
GENERIC_READ |
DESKTOP_ENUMERATE DESKTOP_READOBJECTS STANDARD_RIGHTS_READ |
|
GENERIC_WRITE |
DESKTOP_CREATEMENU DESKTOP_CREATEWINDOW DESKTOP_HOOKCONTROL DESKTOP_JOURNALPLAYBACK DESKTOP_JOURNALRECORD DESKTOP_WRITEOBJECTS STANDARD_RIGHTS_WRITE |
|
GENERIC_EXECUTE |
DESKTOP_SWITCHDESKTOP STANDARD_RIGHTS_EXECUTE |
|
GENERIC_ALL |
DESKTOP_CREATEMENU DESKTOP_CREATEWINDOW DESKTOP_ENUMERATE DESKTOP_HOOKCONTROL DESKTOP_JOURNALPLAYBACK DESKTOP_JOURNALRECORD DESKTOP_READOBJECTS DESKTOP_SWITCHDESKTOP DESKTOP_WRITEOBJECTS STANDARD_RIGHTS_REQUIRED |
You can request the ACCESS_SYSTEM_SECURITY access right to a desktop object if you want to read or write the object's SACL.
Window Station and Desktop Reference
The following elements are used with window stations and desktops: