Microsoft's official enterprise support blog for AD DS and more
Mike here. Windows uses the concept of a security descriptor to allow or deny security principals (user or groups) access to specific resources. A security descriptor is a data structure that contains:
An access control list (ACL) is a list of memory locations to access control entries (ACEs). An ACE contains information such as an action - is the action allowed or denied - and the security principal to which the allowed or denied action applies. ACEs are mostly commonly referred to as permissions. Windows uses discretionary access control lists to prevent or allow actions against resources for a specific user and/or group. Windows uses system access control lists to audit actions performed against an object by a specific user or group.
The DACL controls that type of access to a resource and who is taking that action. Windows allocates memory when creating a DACL. The security descriptor stores the memory location of the DACL. Windows uses the DACL memory location to identify where it should store the location of ACEs associated with the DACL. Therefore, the DACL exists but is empty and remains empty until an ACE is created and assigned to the DACL. This is an empty DACL.
A null DACL is often confused with an empty DACL; however, they both refer to two distinct entities. As mentioned earlier, the security descriptor contains the memory location of the DACL when a DACL is created. However, it is possible to create a security descriptor without the memory location of the DACL. The security descriptor is valid; however, the memory location of the DACL does not exist; it is null. This means that Windows did not create a DACL. This also means that it is not possible to add an access control entry to the DACL until the DACL is created and a valid memory location is provided in the security descriptor.
Windows' security defines two specific actions with regard to handling a null or empty DACL. These actions occur when Windows performs an access check. An access check occurs when a user attempts access to a resource. The access check occurs on the computer hosting the resources. Windows checks the access token created on the resource computer with the security descriptor protecting the resource. Windows grants full access to any requesting user, bypassing any further security checks. The resulting effects of a null DACL is similar to granting the Everyone group Full Control permissions.
An empty DACL provides the opposite effect of a null DACL. An empty DACL is similar to denying Full Control permissions to the Everyone group; effectively preventing anyone from accessing the resource. It's important to understand that Windows only accommodates null or empty DACLs during the access check; not when the null or empty DACL is saved to the security descriptor.
- Mike “Rubbin’ is Racin’“ Stephens
PingBack from http://www.tscmpro.com/?p=4246
Thanks for this. How can a sysadmin tell the difference between an object with a null DACL and an object with an empty DACL? Would the permissions look the same if viewed in Explorer?
Thanks for the article Mike.
If you want to detect NULL vs. empty ACLs you can use my open source tool SetACL (http://setacl.sourceforge.net/).
You might also be interested in my "primer" article on Windows permissions where I also explain the differences between NULL and empty ACLs:
Unfortunately, the ACL editor within Windows shows the interpreted permission of the null or empty DACL. The command line utility cacls.exe does report a null DACL by displaying "No permissions are set." I have an upcoming post that includes a script that specifically looks for null DACLs within nested folders.
The Group Policy security client side extension can distribute security descriptors on files and registry