There are numerous folders, files and resources within the operation system. Some you had created and others are created and maintained by the operating system or installed applications. Also, in most corporate environments there typically is a shared (network) location for the storage of corporate files and resources. In either case the sensitivity level of the contents of these files varies. Some files may contain benign information that if anyone accessed or modified wouldn't result in sleep loss or pose any harmful side effects. Other files may be considered safe if accessed by anyone, but catastrophic if anyone but a select few modify its contents. There are also those files that contain information that should only be accessible by certain groups or individuals. After all, we can’t forget those lovely users that will browse through every single file to see what piece of gossip they can get their hands on or what they can change. With a countless number of imaginable scenarios one would hope there was some way to control resource access. Fortunately there is, the Access Control List or ACL.

The Access Control List is a list of security protections that are applied to system resources (files and folders do fall into resources). Each ACL [there are two types: Discretionary (DACL) and System (SACL)] has a list of Access Control Entries (ACE) that define access for Trustees. When it comes to users and groups, the DACL has access entries that basically define whether or not a Trustee has allow (ACCESS_ALLOWED_ACE) or deny (ACCESS_DENIED_ACE) access to the resource. The process of defining all of these goes far deeper than I am going to go.

What about getting information from an established ACLs? Basically determining who has defined access to what. Is there better resource management besides actually reviewing and verifying ACLs for resources? The first thing that is necessary is to obtain the resource's DACL. GetNamedSecurityInfo and GetSecurityDescriptorDacl will get you there. Once the DACL is obtained the next step is to loop through and process each ACE (AceCount tells you how many there are). The ACE_HEADER of an entry determines which AceType (allow or deny) the entry is. Within in each ACE there is a Mask that specifies the level of access (Read, Write, Modify, Execute, etc...) for the entry. Effective and Explicit rights are defined. This is all pretty straight forward and simple once you grasp hold of the concept.

When it comes to systems I am definitely the inquisitive type. Often I find myself in a position where I need or want to audit a file or folder's effective ACL information. I never really found a quick way to do this. I usually resort to selecting a file or folder, then viewing the Security tab of the Properties and scrolling through each Trustee listed. A quick look at this process and I don't think that it can get any more tedious or time consuming. Fortunately, there was a cold and rainy day available for me to think about this and review ACL security and structure. The result: A tool that significantly eases the process. BPACLer is a utility that lists the entries a file or folder’s access control list. The OWNER information is also listed on the ACE display. Try it out and if there is anything that you think would be a nice addition or change to the utility please let me know.

This information in this posting is not intended to guide in or fully explain security at any level. It is merely intended as a superficial exposure to Windows Access Control. Dig deep enough and you'll find a number of in-depth how-to resource security and design materials.

Labels: Apps, Information, Tech