Security Identifiers (SIDs) New for Windows Vista

Security identifiers (SIDs) are numeric values that identify a user or group. For each access control entry (ACE), there is a SID that identifies the user or group for whom access is allowed, denied, or audited.

OwnerRights

In earlier versions of Microsoft Windows operating systems, the owner of a securable object (represented by the Owner SID field in the security descriptor) always had the READ_CONTROL and WRITE_DAC rights implicitly granted. WRITE_DAC is a powerful right that can be used to change the access control policy. In Windows Vista®, a new SID, OwnerRights, can be used in ACEs to control these rights on securable objects.

Well-known SID Description

OwnerRights (S-1-3-4)

This SID is used to control the rights of the owner on a securable object.

Note
The OwnerRights SID is different from the CreatorOwner SID.

When the discretionary access control list (DACL) for the securable object is evaluated during an access operation, a check is made for ACEs containing the OwnerRights SID to determine the rights granted to the object's owner. If the object does not contain such entries, the object's owner is granted the READ_CONTROL and WRITE_DAC rights, as in previous releases. However, if the DACL contains one or more ACEs with the new OwnerRights SID, the access check will use those entries, along with all other applicable ACEs for the user, to determine the owner's rights.

This behavior permits much easier maintenance of object access, as shown in the following examples.

Enforcement of intended access control policy

When rights are set by using OwnerRights on an object, an administrator can ensure that users who create files and folders cannot change the intended access control policy on those resources. In addition, an administrator can prevent users from changing settings on an object they created after they have been removed from all groups that have been granted those rights on that object.

Resource isolation

Services can be assigned a SID in Windows Server® 2008. Some resource isolation can be achieved by creating objects with a service's SID but not for resources created by that service at run time; those resources will be owned by the LocalSystem, NetworkService, or LocalService service and can be modified by other instances of these services. By adding the OwnerRights SID to the DACL on that service, resource isolation can be achieved. At run time, resource isolation is achieved on the objects created by that service as well.

Prevention of token size increase (bloat)

The computer object is created in Active Directory Domain Services (AD DS) when a user joins his or her computer to a domain. The user's SID is the owner in the security descriptor of the computer object. Accordingly, this allows the user to grant himself or herself the rights to create descendant objects. In certain cases, depending on whether the Active Directory schema allows it, creating these descendant objects, either accidentally or with malicious intent, can result in an increase in token size (by creating group objects that define other groups as members). By adding the OwnerRights SID to the DACL on that object, token size can be reduced in this circumstance.

Access restriction when user removed from group

When rights are set using OwnerRights, an AD DS administrator can allow users in a specific group to create objects under an organizational unit (OU) but then restrict their ability to modify or create group objects when removed from that group.

Important

This behavior requires administrators to remove the following write permissions on all securable objects that possess inherited Owner ACEs: Change Permissions or Change Owner.

Additional references

For information about well-known SIDs, see How Security Identifiers Work (https://go.microsoft.com/fwlink/?LinkId=77560) on the Microsoft Windows Server TechCenter Web site.