The Windows Security Journey — DACL (Discretionary Access Control List)

In general DACL (Discretionary Access Control List) is an ACL (https://medium.com/@boutnaru/the-windows-security-journey-acl-access-control-list-b7d9a6fe4282) which identifies the trustees that allowed/denied access to a securable object (https://medium.com/@boutnaru/windows-securable-objects-311a9d6c83ad).

Thus, if the securable object does not have any DACL (Null) the SRM (https://medium.com/@boutnaru/windows-security-srm-security-reference-monitor-d715f96d9fd6) allows everyone full access to it. If the list of ACL is empty no one has any access to the object (https://learn.microsoft.com/en-us/windows/win32/secauthz/dacls-and-aces).

Moreover, when a thread tries to access a securable object, the system goes over the ACEs in the DACL until it finds one that allows/denies the access (think about it like firewall rules). The predefined order of ACEs are as follows: all explicit ACEs are before inherited ACEs and the inherited ones are placed in the order in which they are inherited. By the way, in every level access denied ACEs are placed before the access allowed ACEs ones (https://www.tenouk.com/ModuleH2.html).

Lastly, for configuring a DACL using the UI we just go to the properties of the object and select the “security tab”, there we can edit the DACL of that specific object — as shown in the screenshot below. We can also use CLI tools like cacls.exe/icacls.exe (but that is for a different writeup). See you next time ;-) You can also follow me on twitter — @boutnaru (https://twitter.com/boutnaru).