Security Descriptor Control Flags

  • Article

A security descriptor's header contains a set of control flags that qualify the meaning of the security descriptor or its components. In Windows 2000, control flags play an important role in the automatic propagation of inheritable security information from parent (that is, container) objects to child (that is, contained) objects.

Security descriptor control flags are stored in a bit field and are turned on or off by setting individual bits. Table 12.5 lists the security descriptor control flags.

Table   12.5 Security Descriptor Control Flags

Flag

Meaning

SE_DACL_AUTO_INHERITED

Windows   2000: Inheritable ACEs in this object's DACL have been propagated to existing child objects.
This flag is not set in security descriptors for Windows NT, which does not support automatic propagation of inheritable ACEs.

SE_DACL_DEFAULTED

The DACL was provided by a default mechanism.
This flag can affect how the operating system treats the DACL with respect to inheritance. The operating system ignores this flag if SE_DACL_PRESENT is not set.

SE_DACL_PRESENT

The security descriptor has a DACL.
Windows   2000: If this flag is not set (that is, if the security descriptor has no DACL), SE_DACL_PROTECTEDmust be set. Otherwise, the operating system considers the security descriptor invalid.

SE_DACL_PROTECTED

Windows   2000: The security descriptor's DACL cannot be modified by inheritable ACEs.
If this flag is not set, the security descriptor inherits information from the security descriptor on the parent object.

SE_GROUP_DEFAULTED

The primary group SID was provided by a default mechanism.

SE_OWNER_DEFAULTED

The owner SID was provided by a default mechanism.

SE_SACL_AUTO_INHERITED

Windows   2000: Inheritable ACE's in this object's SACL have been propagated to existing child objects.
This flag is not set in security descriptors for Windows NT, which does not support automatic propagation of inheritable ACEs.

SE_SACL_DEFAULTED

The SACL was provided by a default mechanism.
This flag can affect how the operating system treats the SACL with respect to inheritance. The operating system ignores this flag if SE_SACL_PRESENT is not set.

SE_SACL_PRESENT

The security descriptor has a SACL.

SE_SACL_PROTECTED

Windows   2000: The security descriptor's SACL cannot be modified by inheritable ACEs.

SE_SELF_RELATIVE

The security descriptor is in self-relative format with all information in a contiguous block of memory. If this flag is not set, the security descriptor is in absolute format.