Access Control Lists - Win32 Apps

Introduction

• An access control list (ACL) is a collection of access control entries (ACEs).
• Each ACE specifies a trustee and the associated access rights.
• Security descriptors for a securable object include two types of ACLs:
  • Discretionary Access Control List (DACL)
  • System Access Control List (SACL)

Discretionary Access Control List (DACL)

• Specifies trustees allowed or denied access to a securable object.
• Process access checks:
  • System reviews ACEs in the object's DACL to grant or deny access.
  • No DACL results in full access; no ACEs mean access denial.
• More on DACL: Creating a DACL.

System Access Control List (SACL)

• Used to log access attempts to secured objects.
• ACEs in SACL generate audit logs for access attempts, failures, or successes.
• More on SACL: Audit generation, SACL access right.

Working with ACLs

• Avoid direct manipulation of ACLs; use functions for correctness.
• Relevant functions:
  • Getting information from an ACL
  • Creating or modifying an ACL

ACLs in Active Directory

• ACLs control access to Microsoft Active Directory service objects.
• Active Directory Service Interfaces (ADSI) offers tools for ACL management.
• Further reading: Controlling object access in Active Directory Domain Services.

Additional Resources

• Training Module: Configure and manage file access - Describes file and folder access control using permissions.
• Certification: Microsoft Certified: Identity and Access Administrator Associate - Focuses on Microsoft Entra ID, identity solutions, hybrid solutions, and governance.

Feedback and further questions can be directed to Microsoft Q&A.