Security descriptors are data structures of security information for securable Windows objects, that is objects that can be identified by a unique name. Security descriptors can be associated with any named objects, including files, folders, shares, registry keys, processes, threads, named pipes, services, job objects and other resources. [1]
Security descriptors contain discretionary access control lists (DACLs) that contain access control entries (ACEs) that grant and deny access to trustees such as users or groups. They also contain a system access control list (SACLs) that control auditing of object access. [2] [3] ACEs may be explicitly applied to an object or inherited from a parent object. The order of ACEs in an ACL is important, with access denied ACEs appearing higher in the order than ACEs that grant access. Security descriptors also contain the object owner.
Mandatory Integrity Control is implemented through a new type of ACE on a security descriptor. [4]
Files and folder permissions can be edited by various tools including Windows Explorer, WMI, command line tools like Cacls, XCacls, ICacls, SubInACL, [5] the freeware Win32 console FILEACL, [6] [7] the free software utility SetACL, and other utilities. To edit a security descriptor, a user needs WRITE_DAC permissions to the object, [8] a permission that is usually delegated by default to administrators and the object's owner.
The following table summarizes NTFS permissions and their roles (in individual rows.) The table exposes the following information: [9] [10] [11]
Permission code |
Meaning | Included in | Alias | ||||||
---|---|---|---|---|---|---|---|---|---|
For files | For folders | R [a] | E [b] | W [c] | A [d] | M [e] | In icacls | In cacls | |
0x01 | Read data | List folder contents | Yes | Yes | Yes | Yes | RD | FILE_READ_DATA | |
0x80 | Read attributes | Yes | Yes | Yes | Yes | RA | FILE_READ_ATTRIBUTES | ||
0x08 | Read extended attributes | Yes | Yes | Yes | Yes | REA | FILE_READ_EA | ||
0x20 | Execute file | Traverse folder | Yes | Yes | Yes | X | FILE_EXECUTE | ||
0x20000 | Read permissions | Yes | Yes | Yes | Yes | Yes | RC | READ_CONTROL | |
0x100000 | Synchronize | Yes | Yes | Yes | Yes | Yes | S | SYNCHRONIZE | |
0x02 | Write data | Create files | Yes | Yes | Yes | WD | FILE_WRITE_DATA | ||
0x04 | Append data | Create folders | Yes | Yes | Yes | AD | FILE_APPEND_D | ||
0x100 | Write attributes | Yes | Yes | Yes | WA | FILE_WRITE_ATTRIBUTES | |||
0x10 | Write extended attributes | Yes | Yes | Yes | WEA | FILE_WRITE_EA | |||
0x10000 | Delete (or rename [12]) | Yes | Yes | DE | DELETE | ||||
0x40000 | Change permissions | Yes | WDAC | WRITE_DAC | |||||
0x80000 | Take ownership | Yes | WO | WRITE_OWNER | |||||
0x40 | Delete subfolders and files | Yes | DC | FILE_DELETE_CHILD |
Most of these permissions are self-explanatory, except the following:
Opening with DELETE permission grants permission to rename the file. The required permission is DELETE because the old name is being deleted.
Security descriptors are data structures of security information for securable Windows objects, that is objects that can be identified by a unique name. Security descriptors can be associated with any named objects, including files, folders, shares, registry keys, processes, threads, named pipes, services, job objects and other resources. [1]
Security descriptors contain discretionary access control lists (DACLs) that contain access control entries (ACEs) that grant and deny access to trustees such as users or groups. They also contain a system access control list (SACLs) that control auditing of object access. [2] [3] ACEs may be explicitly applied to an object or inherited from a parent object. The order of ACEs in an ACL is important, with access denied ACEs appearing higher in the order than ACEs that grant access. Security descriptors also contain the object owner.
Mandatory Integrity Control is implemented through a new type of ACE on a security descriptor. [4]
Files and folder permissions can be edited by various tools including Windows Explorer, WMI, command line tools like Cacls, XCacls, ICacls, SubInACL, [5] the freeware Win32 console FILEACL, [6] [7] the free software utility SetACL, and other utilities. To edit a security descriptor, a user needs WRITE_DAC permissions to the object, [8] a permission that is usually delegated by default to administrators and the object's owner.
The following table summarizes NTFS permissions and their roles (in individual rows.) The table exposes the following information: [9] [10] [11]
Permission code |
Meaning | Included in | Alias | ||||||
---|---|---|---|---|---|---|---|---|---|
For files | For folders | R [a] | E [b] | W [c] | A [d] | M [e] | In icacls | In cacls | |
0x01 | Read data | List folder contents | Yes | Yes | Yes | Yes | RD | FILE_READ_DATA | |
0x80 | Read attributes | Yes | Yes | Yes | Yes | RA | FILE_READ_ATTRIBUTES | ||
0x08 | Read extended attributes | Yes | Yes | Yes | Yes | REA | FILE_READ_EA | ||
0x20 | Execute file | Traverse folder | Yes | Yes | Yes | X | FILE_EXECUTE | ||
0x20000 | Read permissions | Yes | Yes | Yes | Yes | Yes | RC | READ_CONTROL | |
0x100000 | Synchronize | Yes | Yes | Yes | Yes | Yes | S | SYNCHRONIZE | |
0x02 | Write data | Create files | Yes | Yes | Yes | WD | FILE_WRITE_DATA | ||
0x04 | Append data | Create folders | Yes | Yes | Yes | AD | FILE_APPEND_D | ||
0x100 | Write attributes | Yes | Yes | Yes | WA | FILE_WRITE_ATTRIBUTES | |||
0x10 | Write extended attributes | Yes | Yes | Yes | WEA | FILE_WRITE_EA | |||
0x10000 | Delete (or rename [12]) | Yes | Yes | DE | DELETE | ||||
0x40000 | Change permissions | Yes | WDAC | WRITE_DAC | |||||
0x80000 | Take ownership | Yes | WO | WRITE_OWNER | |||||
0x40 | Delete subfolders and files | Yes | DC | FILE_DELETE_CHILD |
Most of these permissions are self-explanatory, except the following:
Opening with DELETE permission grants permission to rename the file. The required permission is DELETE because the old name is being deleted.