🔐

ACL Overview and Types

Jul 20, 2025

Overview

This lecture covers Access Control Lists (ACLs) in Windows, focusing on their types, how they control access to securable objects, and best practices for working with them.

Introduction to Access Control Lists (ACLs)

  • An Access Control List (ACL) is a list of Access Control Entries (ACEs) for a securable object.
  • Each ACE identifies a trustee (user or group) and specifies allowed, denied, or audited access rights.
  • The security descriptor for a securable object contains ACLs.

Types of ACLs: DACLs and SACLs

  • A Discretionary Access Control List (DACL) specifies trustees who are allowed or denied access to an object.
  • If an object has no DACL, all users have full access; an empty DACL (no ACEs) denies all access.
  • The system checks each ACE in sequence until access is allowed or denied.
  • A System Access Control List (SACL) is used to log access attempts for auditing purposes.
  • SACL ACEs specify which actions trigger audit records for a trustee, for successes, failures, or both.

Working with ACLs

  • Do not modify ACLs directly; always use dedicated functions to ensure integrity and correctness.
  • Specialized functions exist to create, retrieve, or modify ACLs safely.
  • ACLs also control access to objects in Microsoft Active Directory, using Active Directory Service Interfaces (ADSI).

Key Terms & Definitions

  • ACL (Access Control List) — A list of entries defining permissions for a securable object.
  • ACE (Access Control Entry) — An entry in an ACL specifying access rights for a trustee.
  • Trustee — A user, group, or process to whom access rights are assigned.
  • DACL (Discretionary Access Control List) — ACL that defines who is allowed or denied access.
  • SACL (System Access Control List) — ACL that defines which access attempts are audited.
  • Security Descriptor — Data structure containing security information, including ACLs, for an object.
  • Securable Object — Any resource with security attributes (files, folders, etc.).

Action Items / Next Steps

  • Review functions and APIs for ACL creation and manipulation.
  • Study how to control access to objects in Active Directory using ADSI.
  • Refer to additional resources on audit generation and security descriptor structure.

View note sourcehttps://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx