Book Excerpt

Access control entries

Get a glimpse inside Paul Cooke's e-book "The definitive guide to Windows 2000 security" with this series of book excerpts, courtesy of Realtimepublishers.com. This excerpt is from Chapter 5, "Configuring access control." Click for the book excerpt series or get the full e-book.




Access control entries

While the ACL is the overall structure for providing permissions in Windows 2000, it's really the ACEs that carry all the real access control information. Although there are different types of ACE structures, as I mentioned earlier, all ACEs include a SID, an access mask, flags to determine inheritance of the ACE, and the ACE type.

All ACEs are somewhat similar, but Windows 2000 supports six ACE types, as shown in Table 5.4. Of these six ACE types, three are generic and can be used in ACLs for any securable object. The other three are object-specific and can be used only in ACLs for AD objects.

ACE Type Description
Access-denied Generic Denies access to an object in a DACL.
Access-denied Object-specific Denies access in a DACL to a property or property set or to limit inheritance to a specified type of child object.
Access-allowed Generic Allows access to an object in a DACL.
Access-allowed Object-specific Allows access in a DACL to a property or property set or to limit inheritance to a specified type of child object.
System-audit Generic Logs attempts to access an object in a DACL.
System-audit Object-specific Logs attempts in a SACL to access a property or property set or to limit inheritance to a specified type of child object.


Table 5.4: The six types of ACEs.

While generic and object-specific ACEs are extremely similar, there are a couple of differences between them. The differences can be categorized primarily by the granularity of access control that they provide for ACE inheritance and object access. Generic ACEs can distinguish between container and non-container objects only when they're inherited, and they can only apply to an entire object. Object-specific ACEs can distinguish between which child objects can inherit them and can be used on a single attribute, or a set of attributes, of an object.

Whether ACEs are generic or object-specific isn't something that you need to concern yourself with every day. Whenever you modify an ACL, Windows 2000 automatically constructs the appropriate ACE and takes care of all the implementation details. However, knowing a little bit about what is going on under the hood is useful.

Click for the next excerpt in this series: The structure of an ACE

Click for the book excerpt series or get the full e-book.

 


This was first published in November 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: