Chapter 42. What Is a Security Descriptor?

Each object protected by the Windows discretionary access control system must have some state associated with it to track its security settings. This little bundle of state is often referred to as a “security descriptor.” Logically, here's what that state must contain:

Owner SID (Item 41)
Group SID
DACL: Discretionary Access Control List (Item 43)
SACL: System Access Control List (Item 43)
Control flags

Windows doesn't document how this little bundle of state is physically stored for each type of object, but we do know that there's no global repository. So the security settings for a file, for example, will be stored as metadata somewhere in the file system (NTFS). The registry also must have some metadata ...

Get The .NET Developer's Guide to Windows Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

The .NET Developer's Guide to Windows Security by

Chapter 42. What Is a Security Descriptor?

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly