Security Descriptor Definition Language
SDDL is a way of defining permissions that can be applied to objects. This includes information about the object’s owner and who can access the object and in what way.
A security descriptor contains a Discretionary Access Control List (DACL) and a System Access Control List (SACL).
An ACL is a list of ordered Access Control Entries (ACE) that specify DACL and SACLs.
A DACL identifies users and groups who are allowed or denied access to an object and in what way the object is accessed.
The SACL defines how access is audited on an object.
Example: SDDL O:DAG:DAD:PAI (A;OICIIO;FA;;;CO) (A;OICI;0x1200a9;;;ED) (A;OICI;0x1200a9;;;AU) (A;OICI;FA;;;SY) (A;OICI;FA;;;DA) (A;OICI;FA;;;EA)
An SDDL string is composed of 5 parts:
The Header – The header contains flags that designate whether the object is allowing or blocking inheritance for the SACL and DACL.
DACL (D:) – The Discretionary Access Control List denoted by the (D:)
SACL (S:) – The System Access Control List denoted by the (S:)
Primary Group (G:) – This value is still in the security descriptor for compatibility reasons. Windows 2000/2003 does not rely on this part of the security descriptor unless you are using services for UNIX and/or Macintosh with tools and utilities applying thereto.
Owner (O:) – Indicates which trustee owns the object. A trustee is the user account, group account, or logon session to which an access control entry (ACE) applies. Each ACE in an access control list (ACL) has one security identifier (SID, also called a principal) that identifies a trustee. The value is represented in SID string format. A security identifier (SID) identifies a user, a group, or a logon session. Each user has a unique SID, which is retrieved by the operating system at logon.
The DACL inheritance can be set using PAI where P sets an SDDL_PROTECTED flag, that means that Inheritance is blocked. AI sets SDDL_AUTO_INHERITED means that Inheritance is allowed as long as P isn’t set.
ACE’s are enclosed within parenthesis. There are 6 fields in each ACE. These 6 fields are separated by a semicolon delimiter.
The fields are as follows:
- ACE type (allow/deny/audit)
- ACE flags (inheritance and audit settings)
- Permissions (list of incremental permissions)
- ObjectType (GUID)
- Inherited Object Type (GUID)
- Trustee (SID)
the parts are concatenated using the semi colon e.g.
A; = Allow
OICIIO; = Inheritance flags ( Object Inherit, Container Inherit, Inherit Only )
FA = Full Access
;; = Often the Object Type and Inherited Type are not set and are missing from the SDDL ACE as in this example.
CO = shorthand for Creator Owner. Many Well Known SIDs have shorthand notations
The ACE flags denote the inheritance options for the ACE, and if it is a SACL, the audit settings.
|“CI”||CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.|
|“OI”||OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.|
|“NP”||NO PROPAGATE: ONLY IMMEDIATE CHILDREN INHERIT THIS ACE.|
|“IO”||INHERITANCE ONLY: ACE DOESN’T APPLY TO THIS OBJECT, BUT MAY AFFECT CHILDREN VIA INHERITANCE.|
|“ID”||ACE IS INHERITED|
|“SA”||SUCCESSFUL ACCESS AUDIT|
|“FA”||FAILED ACCESS AUDIT|
The ACE type designates whether the trustee is allowed, denied or audited.
|“OA”||OBJECT ACCESS ALLOWED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).|
|“OD”||OBJECT ACCESS DENIED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).|
|“OU”||OBJECT SYSTEM AUDIT|
|“OL”||OBJECT SYSTEM ALARM|
The Permissions are a list of the incremental permissions given (or denied/audited) to the trustee-these correspond to the permissions discussed earlier and are simply appended together. However, the incremental permissions are not the only permissions available. The table below lists all the permissions.
|Value||Description||Hexadecimal Value||Binary Bits from 0|
|Generic access rights|
|“GA”||GENERIC ALL||0x10000000||Bit 28|
|“GR”||GENERIC READ||0x80000000||Bit 31|
|“GW”||GENERIC WRITE||0x40000000||Bit 30|
|“GX”||GENERIC EXECUTE||0x20000000||Bit 29|
|Directory service access rights|
|“RC”||Read Permissions||0x20000||Bit 17|
|“WD”||Modify Permissions||0x40000||Bit 18|
|“WO”||Modify Owner||0x80000||Bit 19|
|“RP”||Read All Properties||0x00000010||Bit 4|
|“WP”||Write All Properties||0x00000020||Bit 5|
|“CC”||Create All Child Objects||0x00000001||Bit 0|
|“DC”||Delete All Child Objects||0x00000002||Bit 1|
|“LC”||List Contents||0x00000004||Bit 2|
|“SW”||All Validated Writes||0x00000008||Bit 3|
|“LO”||List Object||0x00000080||Bit 7|
|“DT”||Delete Subtree||0x00000040||Bit 6|
|“CR”||All Extended Rights||0x00000100||Bit 8|
|File access rights|
|“FA”||FILE ALL ACCESS|
|“FR”||FILE GENERIC READ|
|“FW”||FILE GENERIC WRITE|
|“FX”||FILE GENERIC EXECUTE|
|Registry key access rights|
|“KA”||KEY ALL ACCESS||0xF003F|
|KEY CREATE SUB KEYS||0x0004|
|KEY ENUMERATE SUB KEYS||0x0008|
|KEY QUERY VALUE||0x0001|
|KEY SET VALUE||0x0002|