What Makes Up an ACL?

What Makes Up an ACL?

The following is a brief overview for those of you who might have forgotten what an ACL is or maybe never knew it in the first place! You can skip this section if you re familiar with ACLs. An ACL is an access control method employed by many operating systems, including Windows NT, Windows 2000, and Windows XP, to determine to what degree an account is allowed to access a resource. Windows 95, Windows 98, Windows Me, and Windows CE do not support ACLs.

Determine Whether the File System Supports ACLs

You can use the following code to determine whether a given file system supports ACLs. All you need to do is change the szVol variable to point to the volume.

#include <stdio.h> #include <windows.h> void main() {     char *szVol = "c:\\";     DWORD dwFlags = 0;     if (GetVolumeInformation(szVol,                              NULL,                              0,                               NULL,                              NULL,                              &dwFlags,                              NULL,                              0)) {         printf("Volume %s does%s support ACLs.",                szVol,                (dwFlags & FS_PERSISTENT_ACLS) ? "" : " not");     } else {         printf("Error %d",GetLastError());         } }

Note that you can use share names also, such as \\BlakesLaptop\ BabyPictures. For further information, refer to the GetVolumeInformation API in the Platform SDK and at the Microsoft Developer Network (MSDN).

You can also perform a similar task by using Microsoft Visual Basic Scripting Edition (VBScript) or Microsoft JScript. The following sample VBScript code uses FileSystemObject to determine whether a disk drive is using the NTFS file system, which supports ACLs. This code will not work if you attempt to interrogate a file system that does support ACLs but is not NTFS. However, presently NTFS is the only file system supported by Windows that allows ACLs.

Dim fso, drv Dim vol: vol = "c:\" Set fso = CreateObject("Scripting.FileSystemObject") Set drv = fso.GetDrive(vol) Dim fsinfo: fsinfo = drv.FileSystem Dim acls : acls = False If StrComp(fsinfo, "NTFS", vbTextCompare) = 0 Then acls = True WScript.Echo(vol & " is " & fsinfo) Wscript.Echo("ACLs supported? " & acls)

Refer to the Windows Script Host documentation for details about FileSystemObject.

Windows NT and later contains two types of ACLs: discretionary access control lists (DACLs) and system access control list (SACLs). A DACL determines access rights to secured resources. A SACL determines audit policy for secured resources.

Examples of resources that can be secured using DACLs and audited using SACLs include the following:

• Files and directories

• File shares (for example, \\BlakesLaptop\BabyPictures)

• Registry keys

• Shared memory

• Job objects

• Mutexes

• Named pipes

• Printers

• Semaphores

• Active directory objects

Each DACL includes zero or more access control entries (ACEs), which I ll define in a moment. A NULL DACL that is, a current DACL that is set to NULL means no access control mechanism exists on the resource. NULL DACLs are bad and should never be used because an attacker can set any access policy on the object. I ll cover NULL DACLs later in this chapter.

An ACE includes two major components: an account represented by the account s Security ID (SID) and a description of what that SID can do to the resource in question. As you might know, a SID represents a user, group, or computer. The most famous some would say infamous ACE is Everyone (Full Control). Everyone is the account; the SID for Everyone, also called World, is S-1-1-0. Full Control is the degree to which the account can access the resource in question in this case, the account can do anything to the resource. Believe me, Full Control really does mean anything! Note that an ACE can also be a deny ACE, an ACE that disallows certain access. For example, Everyone (Deny Full Control) means that every account including you! will be denied access to the resource. If an attacker can set this ACE on a resource, serious denial of service (DoS) threats exist because no one can access the resource.

	The object owner can always get access to the resource, even if the ACL denies him access. All securable objects in Windows have an owner. If you create an object, such as file, you are the owner. The only exception is an object created by an administrator, in which case all administrators are owners of that object.