Get a glimpse inside Paul Cooke's e-book "The definitive
guide to Windows 2000 security" with this series of book excerpts, courtesy of
Realtimepublishers.com. This excerpt is from Chapter 5, "Configuring access control." Click for the
excerpt series or get the
Access control entries
While the ACL is the overall structure for providing permissions in Windows 2000, it's really the ACEs that carry all the real access control information. Although there are different types of ACE structures, as I mentioned earlier, all ACEs include a SID, an access mask, flags to determine inheritance of the ACE, and the ACE type.
All ACEs are somewhat similar, but Windows 2000 supports six ACE types, as shown in Table 5.4. Of these six ACE types, three are generic and can be used in ACLs for any securable object. The other three are object-specific and can be used only in ACLs for AD objects.
|Access-denied||Generic||Denies access to an object in a DACL.|
|Access-denied||Object-specific||Denies access in a DACL to a property or property set or to limit inheritance to a specified type of child object.|
|Access-allowed||Generic||Allows access to an object in a DACL.|
|Access-allowed||Object-specific||Allows access in a DACL to a property or property set or to limit inheritance to a specified type of child object.|
|System-audit||Generic||Logs attempts to access an object in a DACL.|
|System-audit||Object-specific||Logs attempts in a SACL to access a property or property set or to limit inheritance to a specified type of child object.|
Table 5.4: The six types of ACEs.
While generic and object-specific ACEs are extremely similar, there are a couple of differences between them. The differences can be categorized primarily by the granularity of access control that they provide for ACE inheritance and object access. Generic ACEs can distinguish between container and non-container objects only when they're inherited, and they can only apply to an entire object. Object-specific ACEs can distinguish between which child objects can inherit them and can be used on a single attribute, or a set of attributes, of an object.
Whether ACEs are generic or object-specific isn't something that you need to concern yourself with every day. Whenever you modify an ACL, Windows 2000 automatically constructs the appropriate ACE and takes care of all the implementation details. However, knowing a little bit about what is going on under the hood is useful.
Click for the next excerpt in this series: The structure of an ACE
This was first published in November 2004