More specifically, the SD holds the owner of the object, the Discretionary Access
Control List (DACL), and a System Access Control List (SACL). The DACL describes who
can and cannot access a securable object by listing each access granted or denied in a
series of access control entries (ACEs). The SACL describes what the system should audit
and is not as important to describe in this section, other than to point out how to recognize
it. (Every few months, someone will post to a security mailing list pointing out
what they believe to be a weak DACL when, in fact, it is just a SACL.)
Let??™s look at a sample security descriptor to get started. Figure 16-4 shows the security
descriptor attached to C:\Program Files on Windows XP SP2. This directory is a great
example to work through, first describing the security descriptor, and then showing you
how you can do the same analysis yourself with free, downloadable tools.
First, notice that the owner of the C:\Program Files directory is the Administrators
group. The security descriptor structure itself stores a pointer to the SID of the Administrators
group. Next, notice that the DACL has nine access control entries (ACEs). The
four in the left column are allow ACEs, the four on the right are inheritance ACEs, and the
final one is a special Creator Owner ACE.
Pages:
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710