Sdcheck Remarks

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

SDCheck Remarks

Security Descriptors

The security descriptor is the structure of the list of permissions for an object.

The descriptor contains a header that includes a revision number and control flags. It also contains the Owner's SID (Security Identifier), and the SID of the object's primary group. A security descriptor can also contain two other lists: A discretionary access control list (DACL) and a system access control list (SACL).

The DACL is used to determine what access to an object is allowed. It contains Access Control Entries (ACEs) that define which SIDs have what privileges. An ACE has three parts: header, SID, and mask. The header describes whether it allows or denies access. The SID is the security identifier of the group or user that the ACE pertains to. The mask tells what access type the ACE is referring to.

When an access request is received, the system scans the DACL to see if any of the SIDs match any of the SIDs of the requester. If no matches are found or a Deny is found, then access is denied. All the SIDs are scanned, because a Deny Access always has a higher priority than any Allow. The only exception to this rule is that the owner of an object always has full control of the object.

An SACL is similar to a DACL, except that it is used for auditing purposes. If the user's SID is listed in the SACL's ACE, the audit event will be recorded in the event log.

See Also

Community Additions