Parts of a Security Descriptor

A security descriptor is a binary data structure of variable length. The data structure has the following parts:

Header    The header contains a revision number and a set of control flags that describe characteristics of the security descriptor, such as the memory layout, which elements are present, and how particular elements were added or modified.

Owner    The Owner field contains the SID for the object's owner. The owner of an object can modify permissions and give other users the right to take ownership.

Primary Group    The Primary Group field contains the SID for the owner's primary group. This information is used only by the POSIX subsystem and is ignored by the rest of Windows 2000.

Discretionary Access Control List (DACL)    The DACL is a list of zero or more access control entries (ACEs). Each ACE in the list has a header that specifies whether the ACE allows or denies access; a SID that specifies a particular user or group; and an access mask that lists the operations allowed or denied. The DACL's content is controlled by the object's owner. The owner can share control with other users by granting them Change Permissions (WRITE_DAC) permission.

System Access Control List (SACL)    The SACL is similar to the DACL except that it is used to audit rather than control access to an object. When an audited action occurs, the operating system records the event in the security log. Each ACE in a SACL has a header that indicates whether auditing is triggered by success or failure or both; a SID that specifies a particular user or security group to monitor; and an access mask that lists the operations to audit. The SACL's content is controlled by security administrators for the local system. Security administrators are users who have been assigned the Manage auditing and security log (SeSecurityPrivilege) privilege. By default, this privilege is assigned to the built-in Administrators group.

Layout in Memory

A security descriptor's layout in memory can be either self-relative or absolute. Which of the two formats a particular security descriptor uses is indicated by a control flag in the security descriptor's header.

A self-relative security descriptor is stored in a contiguous block of memory, and the address for each part of the descriptor is expressed as an offset from the beginning of the memory block. To locate any part of the security descriptor, a process must be given only the address of the area in memory where the security descriptor begins. The process can figure out for itself where the part in question begins by adding the memory offset for the part to the memory address for the security descriptor. (Hence the name self-relative. The address for a part is relative to the address for the whole.) Figure 12.12 illustrates the layout of a security descriptor in self-relative format.


Figure 12.12 Security Descriptor in Self-Relative Format

Self-relative layout is used for security descriptors on objects that must be stored on disk, transmitted by a communications protocol, or copied in memory.

A security descriptor in absolute format contains pointers to its information, not the information itself. This format allows each component of the security descriptor to be allocated separately and assembled on the fly. It is used for objects that do not require persistent storage, such as objects that exist only during the lifetime of a single process. Figure 12.13 illustrates the layout of a security descriptor in absolute format.


Figure 12.13 Security Descriptor in Absolute Format