DACL(discretionary access control list)识别委托人是否允许访问安全对象。当一个程序尝试访问一个安全对象时,系统会检查DACL中的ACE以决定是否授权委托人访问。如果安全对象没有DACL,系统会为每个人授予所有权限。如果对象的DACL没有ACE,系统会拒绝所有访问对象的请求,因为DACL没有允许任何访问权限。系统会按顺序检查每个ACE直到发现一个或者多个ACE允许请求的权限,或者请求中要求的任何一个权限都被拒绝。
* An access-denied ACE explicitly denies any of the requested access rights to one of the trustees listed in the thread's access token.
* One or more access-allowed ACEs for trustees listed in the thread's access token explicitly grant all the requested access rights.
* All ACEs have been checked and there is still at least one requested access right that has not been explicitly allowed, in which case, access is implicitly denied.
For Thread A, the system reads ACE 1 and immediately denies access because the access-denied ACE applies to the user in the thread's access token. In this case, the system does not check ACEs 2 and 3. For Thread B, ACE 1 does not apply, so the system proceeds to ACE 2, which allows write access, and ACE 3 which allows read and execute access.
Because the system stops checking ACEs when the requested access is explicitly granted or denied, the order of ACEs in a DACL is important. Note that if the ACE order were different in the example, the system might have granted access to Thread A. For system objects, the operating system defines a preferred order of ACEs in a DACL.
A system access control list (SACL) enables administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both. For more information about SACLs, see Audit Generation and SACL Access Right.
![Uploading IC200675.png…]()
1.什么是ACL
ACL(access control list)是访问控制条目ACE(access control entries)的列表,每个ACE识别一个委托人(trustee)以及指定委托人访问的权限(允许、拒绝、审计)。每个安全对象的安全描述符可以包含两种类型的ACL:DACL和ASCL。
这里的委托可以是一个账号、一个组账号或者一个logon session。每个ACE用一个SID(security identifier)指定一个委托者。
DACL(discretionary access control list)识别委托人是否允许访问安全对象。当一个程序尝试访问一个安全对象时,系统会检查DACL中的ACE以决定是否授权委托人访问。如果安全对象没有DACL,系统会为每个人授予所有权限。如果对象的DACL没有ACE,系统会拒绝所有访问对象的请求,因为DACL没有允许任何访问权限。系统会按顺序检查每个ACE直到发现一个或者多个ACE允许请求的权限,或者请求中要求的任何一个权限都被拒绝。
For Thread A, the system reads ACE 1 and immediately denies access because the access-denied ACE applies to the user in the thread's access token. In this case, the system does not check ACEs 2 and 3. For Thread B, ACE 1 does not apply, so the system proceeds to ACE 2, which allows write access, and ACE 3 which allows read and execute access. Because the system stops checking ACEs when the requested access is explicitly granted or denied, the order of ACEs in a DACL is important. Note that if the ACE order were different in the example, the system might have granted access to Thread A. For system objects, the operating system defines a preferred order of ACEs in a DACL.
A system access control list (SACL) enables administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both. For more information about SACLs, see Audit Generation and SACL Access Right.
[1] https://msdn.microsoft.com/en-us/library/aa446683