Contens
|
NTFS Security Model
© Thomas Schedl 2019
1 Security Descriptor
2 ACE-Entry
2.1 Access Mode
2.2 Standard Permissions
2.3 Special Permissions
2.4 Generic Permissions
2.5 Inheritance
1 Security Descriptor
The Security Descriptor contains all meta information
about access rights of a Windows Object
(file, registry, process, printer, ...)
and could be seen as data structure with the following entries:
| Owner: |
Owner of the Object |
| Primary Group: |
for POSIX and UNIX compatibility |
| Global Flags: |
Version and Inheritance for all principals |
| DACL: |
Discretionary Access Control List |
| SACL: |
System Access Control List |
Details for Global Flags:
| SDDL |
Meaning |
| P |
The SE_DACL_PROTECTED flag is set. |
| AR |
The SE_DACL_AUTO_INHERIT_REQ flag is set. |
| AI |
The SE_DACL_AUTO_INHERITED flag is set. |
| SR |
The SE_SELF_RELATIVE flag is set (not shown with ntfsacl.exe). |
The Security Descriptor can be in absolut or
self-relative Format:
The self-relative Format is the compact
Version of the SD and contains
all information in one block.
The canonical order ensures that an explicit access-denied
ACE is enforced regardless of any explicit
access-allowed ACE.
During an access check, the operating system steps through the
ACEs in the order in which they appear in the
object’s DACL, so that the deny ACE
is processed before the allow ACE.
2 ACE-Entry
2.1 Access Mode
| grfAccessMode |
SDDL |
Access Mode |
Description |
Beschreibung |
| 0x0000 0001 |
A |
GRANT_ACCESS |
Allow |
Zulassen |
| 0x0000 0002 |
|
SET_ACCESS |
|
|
| 0x0000 0003 |
D |
DENY_ACCESS |
Deny |
Verweigern |
| 0x0000 0004 |
|
REVOKE_ACCESS |
|
|
2.2 Standard Permissions
| grfAccessPermissions |
SDDL |
Access Mask |
Description |
Beschreibung |
| 0x001f 03ff |
FA |
FILE_ALL_ACCESS |
Full Control |
Vollzugriff |
| 0x0013 01bf |
0x1301bf |
combination of special perm. |
Modify |
Ändern |
| 0x0012 00a9 |
0x1200a9 |
FILE_GENERIC_READ | FILE_EXECUTE |
Read & Execute |
Lesen, Ausführen |
| 0x0012 0089 |
FR |
FILE_GENERIC_READ |
Read |
Lesen |
| 0x0010 0116 |
0x100116 |
combination of special perm. |
Write |
Schreiben |
2.3 Special Permissions
| grfAccessPermissions |
SDDL |
Access Mask |
Description |
Beschreibung |
| 0x0000 0001 |
0x100001 |
FILE_READ_DATA |
List Folder / Read Data |
Ordner auflisten / Daten lesen |
| 0x0000 0002 |
0x100002 |
FILE_WRITE_DATA |
Create Files / Write Data |
Dateien erstellen / Daten schreiben |
| 0x0000 0004 |
0x100004 |
FILE_APPEND_DATA |
Create Folders / Append Data |
Ordner erstellen / Daten anhängen |
| 0x0000 0008 |
0x100008 |
FILE_READ_EA |
Read Extended Attributes |
Erweiterte Attribute lesen |
| 0x0000 0010 |
0x100010 |
FILE_WRITE_EA |
Write Extended Attributes |
Erweiterte Attribute schreiben |
| 0x0000 0020 |
0x100020 |
FILE_EXECUTE |
Traverse Folder / Execute File |
Ordner durchsuchen / Dateien ausführen |
| 0x0000 0040 |
0x100040 |
FILE_DELETE_CHILD |
Delete Subfolders and Files |
Unterordner und Daten löschen |
| 0x0000 0080 |
0x100080 |
FILE_READ_ATTRIBUTES |
Read Attributes |
Attribute lesen |
| 0x0000 0100 |
0x100100 |
FILE_WRITE_ATTRIBUTES |
Write Attributes |
Attribute schreiben |
| 0x0001 0000 |
SD |
DELETE |
Delete |
Löschen |
| 0x0002 0000 |
RC |
READ_CONTROL |
Read Permissions |
Berechtigungen lesen |
| 0x0004 0000 |
WD |
WRITE_DAC |
Change Permissions |
Berechtigungen ändern |
| 0x0008 0000 |
WO |
WRITE_OWNER |
Take Ownership |
Besitzrecht übernehmen |
| 0x0010 0000 |
always added |
SYNCHRONIZE |
invisible |
unsichtbar |
2.4 Generic Permissions
| 0x1000 0000 |
GA |
GENERIC_ALL |
| 0x2000 0000 |
GX |
GENERIC_EXECUTE |
| 0x4000 0000 |
GW |
GENERIC_WRITE |
| 0x8000 0000 |
GR |
GENERIC_READ |
| 0xa000 0000 |
|
GENERIC_EXECUTE | GENERIC_READ |
| 0xe000 0000 |
|
GENERIC_EXECUTE | GENERIC_WRITE | GENERIC_READ |
Found when evaluating an ACE in a Security Descriptor
(SD).
e.g. At the root of a disk. Not found in the GUI.
2.5 Inheritance
| grfInheritance |
SDDL |
Inheritance FLAG |
Description |
Beschreibung |
| 0x0000 0000 |
|
|
This folder only |
Nur diesen Ordner |
| 0x0000 0001 |
OI |
OBJECT_INHERIT_ACE |
This folder and files |
Diesen Ordner, Dateien |
| 0x0000 0002 |
CI |
CONTAINER_INHERIT_ACE |
This folder and subfolders |
Diesen Ordner, Unterordner |
| 0x0000 0003 |
OICI |
OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE |
This folder, subfolders and files |
Diesen Ordner, Unterordner und Dateien |
| 0x0000 0004 |
NP |
NO_PROPAGATE_INHERIT_ACE |
Apply these permissions ... |
Berechtigungen nur in diesem Container ... |
| 0x0000 0009 |
OIIO |
OBJECT_INHERIT_ACE | INHERIT_ONLY_ACE |
Files only |
Nur Dateien |
| 0x0000 000a |
CIIO |
CONTAINER_INHERIT_ACE | INHERIT_ONLY_ACE |
Subfolders only |
Nur Unterordner |
| 0x0000 000b |
OICIIO |
OBJECT_ ... | CONTAINER_ ... | INHERIT_ ... |
Subfolders and files only |
Nur Unterordner und Dateien |
| 0x0000 0010 |
ID |
INHERITED_ACE |
inherited |
geerbt von |
NTFS since Windows XP allows a special inheritance with
an one level scope for all child objects
|
