6.1.3.5 Security Considerations

When an Add operation is processed, the client is allowed to specify any SD value, subject to some constraints to the OWNER field, as specified in this section and in section 3.1.1.5.2.1.1.

When a Modify operation is processed, the following security checks are applied to the requester's security context. If the requester does not pass the check, then accessDenied is returned.

  1. If the DACL value is written (according to SD flags), then one of the following requirements MUST be satisfied:

  • Explicit RIGHT_WRITE_DAC is granted to the requester on the object.

  • The OWNER SID in the SD value is one of the SIDs in the requester's token (either as user SID or group SID), in which case, implicit Owner rights are not blocked, as specified in section 6.1.3.4.

    Note: The requirements that MUST be satisfied when a DACL value is written according to SD flags, as described in this section, are supported on operating systems specified in [MSFT-CVE-2021-42291], each with the related MSKB article download installed. These requirements are also supported in Windows 11, version 22H2 operating system and later.

  1. If the OWNER and/or GROUP value is written (according to SD flags), then one of the following requirements MUST be satisfied:

  • RIGHT_WRITE_OWNER is granted to the requester on the object.

  • The requester possesses the SE_TAKE_OWNERSHIP_PRIVILEGE.

  • The control access right DS-Set-Owner is granted to the requestor on the object that is the root of the naming context to which the object holding the SD belongs.

  1. If the SACL value is written (according to SD flags), then the following requirement MUST be satisfied:

    • The requester possesses the SE_SECURITY_PRIVILEGE.

  2. If the object being modified is in the config NC or schema NC, and the RM control of the SD is present and contains SECURITY_PRIVATE_OBJECT bit, then additional requirements on the DC performing the operation MUST be enforced:

    • The DC MUST be a member of the root domain in the forest, or

    • The DC MUST be a member of the same domain to which the current object owner belongs.

  3. When the OWNER value is being written (via SD flags control, either in an add or a modify operation), then the following constraints have to be satisfied. The value of the OWNER field MUST be one of the following SIDs:

  • The SID of the user performing the operation.

  • The SID of the "default administrators group" (DAG; section 6.1.3.7), only when the DAG is defined and the user is a member of this group.

  • Any SID, when the user possesses the SE_RESTORE_PRIVILEGE.

    If the owner SID does not satisfy the preceding rules, then the server fails the operation, returning an unwillingToPerform / ERROR_INVALID_OWNER error.

  1. If the owner SID is written on an object in the config NC or schema NC, then additional requirements on the DC performing the operation are enforced:

    • The DC MUST be a member of the root domain in the forest, or

    • The DC MUST be a member of the same domain to which the current object owner belongs.