COOPWARE © Coopware 2024


NTFS Security Model

© Thomas Schedl 2019

1 Security Descriptor
2 ACE-Entry
2.1 Access Mode
2.2 Standard Permissions
2.3 Special Permissions
2.4 Generic Permissions
2.5 Inheritance

1 Security Descriptor

The Security Descriptor contains all meta information about access rights of a Windows Object (file, registry, process, printer, ...) and could be seen as data structure with the following entries:

Owner: Owner of the Object
Primary Group: for POSIX and UNIX compatibility
Global Flags: Version and Inheritance for all principals
DACL: Discretionary Access Control List
SACL: System Access Control List

Details for Global Flags:
SDDL Meaning
P The SE_DACL_PROTECTED flag is set.
SR The SE_SELF_RELATIVE flag is set (not shown with ntfsacl.exe).

The Security Descriptor can be in absolut or self-relative Format:

The self-relative Format is the compact Version of the SD and contains all information in one block.

The canonical order ensures that an explicit access-denied ACE is enforced regardless of any explicit access-allowed ACE.
During an access check, the operating system steps through the ACEs in the order in which they appear in the object’s DACL, so that the deny ACE is processed before the allow ACE.

2 ACE-Entry

2.1 Access Mode

grfAccessMode SDDL Access Mode Description Beschreibung
0x0000 0001 A GRANT_ACCESS Allow Zulassen
0x0000 0002 SET_ACCESS
0x0000 0003 D DENY_ACCESS Deny Verweigern
0x0000 0004 REVOKE_ACCESS

2.2 Standard Permissions

grfAccessPermissions SDDL Access Mask Description Beschreibung
0x001f 03ff FA FILE_ALL_ACCESS Full Control Vollzugriff
0x0013 01bf 0x1301bf
combination of special perm.
Modify Ändern
0x0012 00a9 0x1200a9 FILE_GENERIC_READ | FILE_EXECUTE Read & Execute Lesen, Ausführen
0x0012 0089 FR FILE_GENERIC_READ Read Lesen
0x0010 0116 0x100116
combination of special perm.
Write Schreiben

2.3 Special Permissions

grfAccessPermissions SDDL Access Mask Description Beschreibung
0x0000 0001 0x100001 FILE_READ_DATA List Folder / Read Data Ordner auflisten / Daten lesen
0x0000 0002 0x100002 FILE_WRITE_DATA Create Files / Write Data Dateien erstellen / Daten schreiben
0x0000 0004 0x100004 FILE_APPEND_DATA Create Folders / Append Data Ordner erstellen / Daten anhängen
0x0000 0008 0x100008 FILE_READ_EA Read Extended Attributes Erweiterte Attribute lesen
0x0000 0010 0x100010 FILE_WRITE_EA Write Extended Attributes Erweiterte Attribute schreiben
0x0000 0020 0x100020 FILE_EXECUTE Traverse Folder / Execute File Ordner durchsuchen / Dateien ausführen
0x0000 0040 0x100040 FILE_DELETE_CHILD Delete Subfolders and Files Unterordner und Daten löschen
0x0000 0080 0x100080 FILE_READ_ATTRIBUTES Read Attributes Attribute lesen
0x0000 0100 0x100100 FILE_WRITE_ATTRIBUTES Write Attributes Attribute schreiben
0x0001 0000 SD DELETE Delete Löschen
0x0002 0000 RC READ_CONTROL Read Permissions Berechtigungen lesen
0x0004 0000 WD WRITE_DAC Change Permissions Berechtigungen ändern
0x0008 0000 WO WRITE_OWNER Take Ownership Besitzrecht übernehmen
0x0010 0000 always added SYNCHRONIZE invisible unsichtbar

2.4 Generic Permissions

0x1000 0000 GA GENERIC_ALL
0x4000 0000 GW GENERIC_WRITE
0x8000 0000 GR GENERIC_READ

Found when evaluating an ACE in a Security Descriptor (SD).
e.g. At the root of a disk. Not found in the GUI.

2.5 Inheritance

grfInheritance SDDL Inheritance FLAG Description Beschreibung
0x0000 0000 This folder only Nur diesen Ordner
0x0000 0001 OI OBJECT_INHERIT_ACE This folder and files Diesen Ordner, Dateien
0x0000 0002 CI CONTAINER_INHERIT_ACE This folder and subfolders Diesen Ordner, Unterordner
0x0000 0003 OICI OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE This folder, subfolders and files Diesen Ordner, Unterordner und Dateien
0x0000 0004 NP NO_PROPAGATE_INHERIT_ACE Apply these permissions ... Berechtigungen nur in diesem Container ...
0x0000 0009 OIIO OBJECT_INHERIT_ACE | INHERIT_ONLY_ACE Files only Nur Dateien
0x0000 000a CIIO CONTAINER_INHERIT_ACE | INHERIT_ONLY_ACE Subfolders only Nur Unterordner
0x0000 000b OICIIO OBJECT_ ... | CONTAINER_ ... | INHERIT_ ... Subfolders and files only Nur Unterordner und Dateien
0x0000 0010 ID INHERITED_ACE inherited geerbt von

NTFS since Windows XP allows a special inheritance with an one level scope for all child objects