Get a glimpse inside Paul Cooke's e-book "The definitive
guide to Windows 2000 security" with this series of book excerpts, courtesy of
Realtimepublishers.com. This excerpt is from Chapter 5, "Configuring access control." Click for the
excerpt series or get the
An ACL defines the permissions that apply to an object and its properties. Although this chapter is concerned with the type of ACL that you use to allow or deny access to resources, there are really two types of ACLs in Windows 2000: DACLs and system access control lists (SACLs). The DACL allows or denies access to objects, while the SACL controls how access to objects is audited. (I'll talk more about auditing in Chapter 6.)
Structure of an ACL
While there are a couple of bookkeeping entries at the beginning of the ACL structure, it consists primarily of ACEs, as shown in Figure 5.10. Each ACE is responsible for identifying a security principal and providing the security principals with rights that are allowed, denied, and/or audited.
Figure 5.10: The structure of an ACL.
Looking at the structure of an ACL, we see that the bookkeeping entries are the ACL Size, ACL Revision and ACE Count values.
- ACL Size -- Indicates the total number of bytes that the ACL uses.
- ACL Revision -- Indicates the revision number for the ACL's structure. The interesting thing to note here is that this value really indicates the structure of the ACEs contained in the ACL because the structure of an ACL is always the same, but the structure of the ACEs it contains can be different. While most objects in Windows 2000 use a revision value of 2, ACL entries for AD objects carry a revision value of 4.
- ACE Count -- Indicates the number of ACEs that are contained in the ACL; this value can be zero. The remainder of the structure is dedicated to the ACEs.
Click for the next excerpt in this series: Access control entries
This was first published in November 2004