EPFL Logo
fr|en
Se Connecter
Concept

Security descriptor

Security descriptors are data structures of security information for securable Windows objects, that is objects that can be identified by a unique name. Security descriptors can be associated with any named objects, including , , shares, registry keys, processes, threads, named pipes, services, job objects and other resources. Security descriptors contain discretionary access control lists (DACLs) that contain access control entries (ACEs) that grant and deny access to trustees such as users or groups. They also contain a system access control list (SACLs) that control auditing of object access. ACEs may be explicitly applied to an object or inherited from a parent object. The order of ACEs in an ACL is important, with access denied ACEs appearing higher in the order than ACEs that grant access. Security descriptors also contain the object owner. Mandatory Integrity Control is implemented through a new type of ACE on a security descriptor. Files and folder permissions can be edited by various tools including Windows Explorer, WMI, command line tools like Cacls, XCacls, ICacls, SubInACL, the freeware Win32 console FILEACL, the free software utility SetACL, and other utilities. To edit a security descriptor, a user needs WRITE_DAC permissions to the object, a permission that is usually delegated by default to administrators and the object's owner. The following table summarizes NTFS permissions and their roles (in individual rows.) The table exposes the following information: Permission code: Each access control entry (ACE) specifies its permission with binary code. There are 14 codes (12 in older systems.) Meaning: Each permission code has a meaning, depending on whether it is applied to a file or a folder. For example, code 0x01 on file indicates the permission to read the file, while on a folder indicates the permission to list the content of the folder. Knowing the meaning alone, however, is useless. An ACE must also specify to whom the permission applies, and whether that permission is granted or denied.

Source officielle
À propos de ce résultat
Cette page est générée automatiquement et peut contenir des informations qui ne sont pas correctes, complètes, à jour ou pertinentes par rapport à votre recherche. Il en va de même pour toutes les autres pages de ce site. Veillez à vérifier les informations auprès des sources officielles de l'EPFL.

Copyright © 2025 EPFL, tous droits réservés

Graph Chatbot

Chattez avec Graph Search

Posez n’importe quelle question sur les cours, conférences, exercices, recherches, actualités, etc. de l’EPFL ou essayez les exemples de questions ci-dessous.

AVERTISSEMENT : Le chatbot Graph n'est pas programmé pour fournir des réponses explicites ou catégoriques à vos questions. Il transforme plutôt vos questions en demandes API qui sont distribuées aux différents services informatiques officiellement administrés par l'EPFL. Son but est uniquement de collecter et de recommander des références pertinentes à des contenus que vous pouvez explorer pour vous aider à répondre à vos questions.