Windows: Securable objects

Examples of securable objects include

• Files, Directories
• Services
• Registry keys
• Processes, Threads (these are unnamed objects)
• Access tokens
• Named pipes
• File mapping objects
• DCOM applications
• Semaphores
• Events
• Mutexes
• Waitable timers
• WMI namespaces
• Active Directory Objects
• Window stations
• Desktop
• Mailslots
• Network shares
• Printers
• Private objects

A securable object defines the following elements

• The owner of the object, identified by its SID
• The group assocaited with the object, also identified by a SID. (This component is irrelevant for Windows components; it only exists for POSIX compatibility reasons).
• The Discretionary Access Control List (DACL)
• The System Access Control List (SACL)

The DACL determines users' and groups' permissions on the securable object.

DACL are called discretionary because they are asssigned at the assigner's discretion.

Such permissions must not be confused with user rights (possibly also referred to as privileges) which are granted to users rather than objects.

An Access Control List (ACL) is a ordered list of Access Control Entries (ACE).

An Access Control Entry consists of

• The user's or group's SID to which the ACE pertains
• A particular access right
• A flag, if this access right is allowed or denied.

When an ACL is checked to determine if a user or group is allowed to perform a certain action on the securable object, the ACEs in the ACLs are evaluated in the order of their position.

As soon as such a check finds an explicit grant or denial of the requested access, the check stops. Therfore, the order of the ACEs in the ACL is important.

It is generally recommended to place deny-ACEs before allow-ACEs.

In .NET, an Access Control Entry corresponds to the abstract base class System.Security.AccessControl.AuthorizationRule .