Access Control List – ACL, DACL, SACL, ACE
Solomon (2014) states that an Access Control List (ACL) is a list of access control rules that can be applied to a specific object. ACL’s that are used in in Windows are considered discretionary so they are also known as Discretionary Access Control Lists (DACL). DACL’s consists of one or more Access Control Entries (ACE) (pg.43). Each ACE identifies a security principal for an object and specifies a set of access rights allowed, denied, or audited for that security principal (TechNet Access Controls List, n.d.). A securable object requires a DACL for Windows to control access to the object. Any object without a DACL is open to access by any subject, process, or user. DACL’s are accessible for modification in the objects Properties dialog box (Solomon, 2104, pg.53).
According to TechNet Access Controls List (n.d), an ACL or DACL is an ordered list of ACE’s that define the protections that apply to an object and its properties. An objects security descriptor consists of two ACL’s; the DACL which identifies the users and groups who are allowed or denied access to the object, and the System Access Control List (SACL) which controls how access is audited (pg.1). Windows Dev Center (n.d.) provides the following detailed definition of DACL’s, and SACL’s.
- A DACL identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACE’s in the object’s DACL to determine whether to grant access to it. If the object does not have a DACL, the system grants full access to everyone.
- A SACL allows administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both.
TechNet Access Controls List (n.d.) describes the construction of an ACL as follows: The ACL’s size in memory bytes, the ACL revision number that can vary depending on how the ACL is applied. For most objects it is assigned as 2, for Active Directory ACL’s it is usually 4. The structure also lists how many ACE’s are listed in the ACL, and then a list of ACE’s follow in order (pg.1).
Solomon, M. G. (2014). Security Strategies in Windows Platforms and Applications (2nd ed.). Burlington, MA: Jones & Bartlett Learning.
TechNet Access Controls List. (n.d.). Access Control Lists. Retrieved October 25, 2016, from TechNet web, https://technet.microsoft.com/en-us/library/cc962007.aspx.
Windows Dev Center.(n.d.). Access Control Lists. Retrieved October 25, 2016, from Windows Dev Center web, https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx.