All named Windows objects are securable.
Components of a securable object
A securable object defines the following elements
- The owner of the object, identified by its SID
- The group assocaited with the object, also identified by a SID. (This component is irrelevant for Windows components; it only exists for POSIX compatibility reasons).
- The Discretionary Access Control List (DACL)
- The System Access Control List (SACL)
The DACL determines users' and groups' permissions on the securable object.
DACL are called discretionary because they are asssigned at the assigner's discretion.
Such permissions must not be confused with
user rights (possibly also referred to as
privileges) which are granted to
users rather than objects.
Access Control List and Access Control Entries
An Access Control List (ACL) is a ordered list of Access Control Entries (ACE).
An Access Control Entry consists of
- The user's or group's SID to which the ACE pertains
- A particular access right
- A flag, if this access right is allowed or denied.
When an ACL is checked to determine if a user or group is allowed to perform a certain action on the securable object, the ACEs in the ACLs are evaluated in the order of their position.
As soon as such a check finds an explicit grant or denial of the requested access, the check stops. Therfore, the order of the ACEs in the ACL is important.
It is generally recommended to place deny-ACEs before allow-ACEs.