ACM (access control model), Security Identifiers (SID), security descriptors (secure descriptor), ACL (Access control list), Access Tokens (access token) "Reprint"

Source: Internet
Author: User

The words in Windows core programming cannot dispel the doubts in the mind. Let the explanation on MSDN give us a lamp. If you want to introduce it in detail, or go to MSDN for a closer look, I'm simply describing it in an easy-to-understand language.

Windows Security access Control (acm,access control mode) is made up of two parts. One is the access token (access tokens) and the other is the security descriptor (identifiers).

An access token is information data that is used by the process that is being accessed to indicate its identity and privileges.

Security descriptors are security information about security objects that you want to be accessed. such as what kind of user's access request can be allowed, what kind of user or group of what access to be denied.

    • Security Identifiers (SID)

Often hear Sid, then what is Sid, as MSDN says, the SID is the only numeric value that is used to identify the trusting party whose length is variable. And the trusting party is the user, group, session. So basically the SID can be understood as a user name, a group name, a session name. It's just that they are safely certified and not duplicated, which is safe and reliable. If we mention Zhang San this user's SID, then we can be understood as "Zhang San (true)".

    • Security descriptors (Safety descriptor)

MSDN says the security descriptor contains security information that describes a securable object. In fact, this sentence is very right, but it is probably on the. Let's look at exactly what the security descriptor describes?

Security descriptors include:

1. Sid of the owner of the security object associated with the security descriptor and the SID of the host group in which this owner resides

2. A DACL (discretionary access control list)

3. A SACL (System access control list)

4. Set of control bits that match the meaning of the security descriptor

1th, the second, three. See the following ACL for detailed explanations, DACLs and SACL are one type of ACL, respectively. The 4th is unknown.

    • ACLs (Access control lists, access controls list)

When it comes to things like access control lists, it's a bit intimidating. In fact, I was very afraid at first. Because I used to be very emotional about those computer-theoretic terms. But after understanding it is quite good.

ACLs include two types of access control lists, but regardless of which list their basic format is the same, that is the list, list entry (also called access Control Portal, ace,access control entry). The two types of security control lists are:

1.DACL (discretionary access control list)

Like its name, a DACL is a (corresponding) access control list that indicates the freedom of all others. What does that mean? Let's take a look at what's in the DACL. Look at you, it's quite clear.

Believe to see this figure can understand more than half. A DACL is a list, and each list entry (ACE) is a description of the access control for a SID that describes whether the SID is denied or allowed, and if so, what permissions are granted to the SID. Of course, this figure is very image, but the actual ace is not a single string, what is the ace?

Ace is actually made up of four parts, just the picture above is too good.

These four sections are:

1. Possible access to this ACE user sid (corresponding to Andrew)

2. Mask for the user's access rights (Read,write,execute)

There are three types of 3.ACE in total. Access-denied ace,access-allowed ace,system-audit ACE. The first two are DACL types, the last of which is the SACL type.

4. Whether this ace can be inherited by other securable objects.

So how does a DACL work?

Just like to show, the thread accesses the securable object, to present its own token (said very humanized, actually there is an operating system view thread access tokens data structure), will access tokens the user SID, The owning group SID and the corresponding permissions are compared to the corresponding data items for each ace in the DACL until the comparison to an ace explicitly allows the required action of the thread, or the access requirements of the thread are explicitly denied, or if no one of the above cases is found to be the end of the comparison, then the default is denied. The comparison of this list is sequential, from beginning to end. If the order of the linked list changes, the original access request may be the result of a sample.

For example, the order of ACE3 and ACE1 is reversed, and the request for Thread A is allowed. So the order is important. So if you want to build a DACL for a security descriptor, the programmer should be careful when adding aces with the API. Note the API function add Ace is always added at the end of the list.

Ace Inheritance is not fully researched, but stranded!

2.SACL (System access control list)

What is a SACL? is actually an audit center, which lists the types of access requests that need to be logged by the system. Once a user accesses a securable object, and its requested access is compliant with an ace in the SACL, the system logs whether the user's request was rejected or allowed. MSDN mentions that future security objects may emit warning messages about unauthorized user access.

    • Access Tokens (Visit token)

We can understand the access token this way, but let's introduce the complete concept first.

The access token is comprised of 12 items, namely:

    1. Security ID of the current user (described later),
    2. The security ID of the group to which the current user belongs.
    3. The session security ID in power.
    4. A user-owned list of privileges (including the user itself, and the group to which it belongs).
    5. The token owner security ID.
    6. The primary group security ID that the user belongs to.
    7. The default discretionary access control list (described later).
    8. Source access token
    9. Indicates whether this token is a source token or an impersonation token
    10. An optional linked list that indicates which SIDs are restricted by this token
    11. Level of the current impersonation token
    12. Other data Sheet

When you see so many data items, you should know how much the security measures are going to cost.

An access token describes the related security information for a process or thread. This information indicates the identifier and privileges of the user associated with the process or thread. When the user login system is, the user password and the system within the database response password comparison, if the verification passed, the system to the user to generate an access token. All threads that this user opens later are inherited with this token. Take this token to access the security object. (after Windows Vista is not the same, if the administrator is logged in, the administrator gets the access token, and the administrator started to do the own token is not the same, the process of the token is filtered, or reduced permissions, the process to obtain an administrator's access token (or club privileges), You must issue an application, and the system displays a dialog box that allows the program to start in this manner. )

Each process has at least one access token, which is the primary access token, and why is it the master? Because some processes may impersonate another user, or another user's token, and that token is an impersonation token. The system is using the primary access token when it audits the access and security objects of the process. Concrete for the moment is unknown.

This is basically a preliminary understanding of the windows of ACM.


ACM (access control model), Security Identifiers (SID), security descriptors (secure descriptor), ACL (Access control list), Access Tokens (access token) "Reprint"

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.