The Windows Security Journey — ACL (Access Control List)
ACL (Access Control List) is a list of ACEs (Access Control Entries). Every ACE identifies a trustee (user account/group/logon session) and the relevant allowed/denied/audited access for that trustee (https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-lists).
Overall, there are two types of ACLs which are in use in Windows systems: DACL aka as “Discretionary Access Control List” and SACL aka “System Access Control List” (https://www.securew2.com/blog/windows-access-control-acl-dacl-sacl-ace). More information about those types in future writeups. Those types of ACLs are part of the security information stored as part of the “Security Descriptor” (https://medium.com/@boutnaru/windows-security-security-descriptor-sd-ba95b8fa048a) related to securable objects (https://medium.com/@boutnaru/windows-securable-objects-311a9d6c83ad) — as shown in the diagram below.
Moreover, every ACE has four main components. The first, the SID (https://medium.com/@boutnaru/windows-security-sid-security-identifier-d5a27567d4e5) to whom the access information in this ACE is relevant for. Second, a flag denoting the type of ACE (deny/allow/audit). Third, flags regarding the inheritance of the specific ACE. Forth, an access mask which is a 32 bit that describes the rights relevant for this ACE (https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces).
Lastly, due to the fact we have DACL and SACL, usually when saying ACE we talk about the first one and when saying System ACE we mean the second one. See you next time ;-) You can also follow me on twitter — @boutnaru (https://twitter.com/boutnaru). Also, you can read my other writeups on medium — https://medium.com/@boutnaru.
