Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The following SDDL string: "O:BAG:BAD:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)S:P(AU;FA;GR;;;WD)"
yields the following, which is an encoded output of the security descriptor in self-relative form ordered as little-endian.
-
00000000 01 00 14 b0 90 00 00 00 a0 00 00 00 14 00 00 00 ................ 00000010 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 0............... 00000020 00 00 00 80 01 01 00 00 00 00 00 01 00 00 00 00 ................ 00000030 02 00 60 00 04 00 00 00 00 03 18 00 00 00 00 a0 ..'............. 00000040 01 02 00 00 00 00 00 05 20 00 00 00 21 02 00 00 ........ ...!... 00000050 00 03 18 00 00 00 00 10 01 02 00 00 00 00 00 05 ................ 00000060 20 00 00 00 20 02 00 00 00 03 14 00 00 00 00 10 ... ........... 00000070 01 01 00 00 00 00 00 05 12 00 00 00 00 03 14 00 ................ 00000080 00 00 00 10 01 01 00 00 00 00 00 03 00 00 00 00 ................ 00000090 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 ........ ... ... 000000a0 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 ........ ... ...
The SECURITY_DESCRIPTOR starts with the SD revision number (1 byte long) at address 0x00, followed by reserved bits and the SD control flags (2 bytes long). As mentioned previously, this is followed by owner, group, SACL, and DACL offsets.
-
01 00 14 b0 90 00 00 00 a0 00 00 00 14 00 00 00
Figure 6: Security descriptor field offsets example
Control Flags
Control flags for the DACL are represented as a bitmask, and the resultant set of flags is computed by a logical OR of the flags. In this example, the control flag value is set to the following.
-
1011000000010100
This control flag value maps to the meaning that is shown in the following table.
|
BIT |
Meaning |
|---|---|
|
0 |
OD: Owner defaulted |
|
0 |
GD: Group defaulted |
|
1 |
DP: DACL present |
|
0 |
DD: DACL defaulted |
|
1 |
SP: SACL present |
|
0 |
SD: SACL defaulted |
|
0 |
SS: Server Security |
|
0 |
DT: DACL Trusted |
|
0 |
DR: DACL Inheritance Required |
|
0 |
SR: Inheritance Required |
|
0 |
DI: DACL auto-inherited |
|
0 |
SI: SACL auto-inherited |
|
1 |
PD: DACL-protected |
|
1 |
PS: SACL-protected |
|
0 |
RM: Control Valid |
|
1 |
SR: Self-Relative |
SACL
The control flags are followed by the SACL, which in this example is "S:P(AU;FA;GR;;;WD)"
DACL
The SACL is followed by the SECURITY_DESCRIPTOR DACL, which in this example is:
-
(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)
Note The string representation for the DACL (D:) and the DACL control flags are consumed not as part of the DACL structure in the SD, but instead as the security descriptor control flags. The same applies for SACL.
Figure 7: Security access control list data example
The ACL can be further dissected into the ACL header and the individual ACEs. For more information, see section 2.4.5.
ACL HEADER
-
02 00 60 00 04 00 00 00 AclRevision (1 byte): 0x02 Reserved : 0x00 AclSize : 0x0060 AceCount : 0x0004 Reserved : 0x0000
ACE Structure
This is followed by the ACES in the ACL. For more information about the ACE structure, see section 2.4.4.1.
In this example, there are four ACEs for the DACL.
-
(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)
First, look at the first access control entry (ACE) as an example. "(A;CIOI;GRGX;;;BU)" maps to the following in the binary structure (in little-endian order).
-
00 03 18 00 00 00 00 a0 01 02 00 00 00 00 00 05-20 00 00 00 21 02 00 00
Figure 8: ACE field offsets
Owner
The owner begins at offset 0x90. In this example, owner is set to "BA" (Built-in Admin).
Figure 9: ACE owner field offsets example
Group
The group begins at offset 0xA0. In this example, group is set to "BA" (Built-in Admin).
Figure 10: ACE group field offsets example