SDDL Explained

Security Descriptor Definition Language

SDDL is a way of defining permissions that can be applied to objects.  This includes information about the object’s owner and who can access the object and in what way.

A security descriptor contains a Discretionary Access Control List (DACL) and a System Access Control List (SACL).

An ACL is a list of ordered Access Control Entries (ACE) that specify DACL and SACLs.

A DACL identifies users and groups who are allowed or denied access to an object and in what way the object is accessed.

The SACL defines how access is audited on an object.

Example: SDDL O:DAG:DAD:PAI (A;OICIIO;FA;;;CO) (A;OICI;0x1200a9;;;ED) (A;OICI;0x1200a9;;;AU) (A;OICI;FA;;;SY) (A;OICI;FA;;;DA) (A;OICI;FA;;;EA)

An SDDL string is composed of 5 parts:

The Header – The header contains flags that designate whether the object is allowing or blocking inheritance for the SACL and DACL.

DACL (D:) – The Discretionary Access Control List denoted by the (D:)

SACL (S:) – The System Access Control List denoted by the (S:)

Primary Group (G:) – This value is still in the security descriptor for compatibility reasons. Windows 2000/2003 does not rely on this part of the security descriptor unless you are using services for UNIX and/or Macintosh with tools and utilities applying thereto.

Owner (O:) – Indicates which trustee owns the object. A trustee is the user account, group account, or logon session to which an access control entry (ACE) applies. Each ACE in an access control list (ACL) has one security identifier (SID, also called a principal) that identifies a trustee. The value is represented in SID string format. A security identifier (SID) identifies a user, a group, or a logon session. Each user has a unique SID, which is retrieved by the operating system at logon.

Header

The DACL inheritance can be set using PAI where P sets an SDDL_PROTECTED flag, that means that Inheritance is blocked. AI sets SDDL_AUTO_INHERITED means that Inheritance is allowed as long as P isn’t set.

ACE

ACE’s are enclosed within parenthesis. There are 6 fields in each ACE. These 6 fields are separated by a semicolon delimiter.

The fields are as follows:

  • ACE type (allow/deny/audit)
  • ACE flags (inheritance and audit settings)
  • Permissions (list of incremental permissions)
  • ObjectType (GUID)
  • Inherited Object Type (GUID)
  • Trustee (SID)

the parts are concatenated using the semi colon e.g.

(A;OICIIO;FA;;;CO)

A; = Allow

OICIIO; = Inheritance flags ( Object Inherit, Container Inherit, Inherit Only )

FA = Full Access

;; = Often the Object Type and Inherited Type are not set and are missing from the SDDL ACE as in this example.

CO = shorthand for Creator Owner.  Many Well Known SIDs have shorthand notations

ACE Flags

The ACE flags denote the inheritance options for the ACE, and if it is a SACL, the audit settings.

 

Value
Description
“CI” CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
“OI” OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
“NP” NO PROPAGATE: ONLY IMMEDIATE CHILDREN INHERIT THIS ACE.
“IO” INHERITANCE ONLY: ACE DOESN’T APPLY TO THIS OBJECT, BUT MAY AFFECT CHILDREN VIA INHERITANCE.
“ID” ACE IS INHERITED
“SA” SUCCESSFUL ACCESS AUDIT
“FA” FAILED ACCESS AUDIT

 ACE Types

The ACE type designates whether the trustee is allowed, denied or audited.

Value
Description
“A” ACCESS ALLOWED
“D” ACCESS DENIED
“OA” OBJECT ACCESS ALLOWED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).
“OD” OBJECT ACCESS DENIED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).
“AU” SYSTEM AUDIT
“AL” SYSTEM ALARM
“OU” OBJECT SYSTEM AUDIT
“OL” OBJECT SYSTEM ALARM

Permissions

The Permissions are a list of the incremental permissions given (or denied/audited) to the trustee-these correspond to the permissions discussed earlier and are simply appended together. However, the incremental permissions are not the only permissions available. The table below lists all the permissions.

Value Description Hexadecimal Value Binary Bits from 0
Generic access rights
“GA” GENERIC ALL 0x10000000 Bit 28
“GR” GENERIC READ 0x80000000 Bit 31
“GW” GENERIC WRITE 0x40000000 Bit 30
“GX” GENERIC EXECUTE 0x20000000 Bit 29
Directory service access rights
“RC” Read Permissions 0x20000 Bit 17
“SD” Delete 0x10000 Bit 16
“WD” Modify Permissions 0x40000 Bit 18
“WO” Modify Owner 0x80000 Bit 19
“RP” Read All Properties 0x00000010 Bit 4
“WP” Write All Properties 0x00000020 Bit 5
“CC” Create All Child Objects 0x00000001 Bit 0
“DC” Delete All Child Objects 0x00000002 Bit 1
“LC” List Contents 0x00000004 Bit 2
“SW” All Validated Writes 0x00000008 Bit 3
“LO” List Object 0x00000080 Bit 7
“DT” Delete Subtree 0x00000040 Bit 6
“CR” All Extended Rights 0x00000100 Bit 8
File access rights
“FA” FILE ALL ACCESS
“FR” FILE GENERIC READ
“FW” FILE GENERIC WRITE
“FX” FILE GENERIC EXECUTE
Registry key access rights
“KA” KEY ALL ACCESS 0xF003F
“KR” KEY READ 0x20019
“KW” KEY WRITE 0x20006
“KX” KEY EXECUTE 0x20019
KEY CREATE SUB KEYS 0x0004
KEY ENUMERATE SUB KEYS 0x0008
KEY NOTIFY 0x0010
KEY QUERY VALUE 0x0001
KEY SET VALUE 0x0002

 

Advertisements

One thought on “SDDL Explained

  1. […] Brilliant description with SDDL breakdown here: […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.