The Windows Security Journey — SACL (System Access Control List)

Overall, a SACL (System Access Control List) is an ACL (https://medium.com/@boutnaru/the-windows-security-journey-acl-access-control-list-b7d9a6fe4282) which enables the administrators of a system to audit attempts of accessing securable objects (https://medium.com/@boutnaru/windows-securable-objects-311a9d6c83ad). Every ACE (Access Control Entry) defines the type of access attempt that causes to generate an audit trail while performed by a trustee (https://learn.microsoft.com/en-us/windows/win32/secauthz/access-control-lists).

Thus, an ACE as part of an SACL can emit an audit record when an access attempt is failed/succeeds/both. The system writes audit messages to the security event log (https://learn.microsoft.com/en-us/windows/win32/secauthz/audit-generation). In order to read/write object’s SACL the relevant thread/process should enable as part of its access token (https://medium.com/@boutnaru/windows-security-access-token-81cd00000c64) the “SE_SECURITY_NAME” privilege (https://medium.com/@boutnaru/windows-security-privileges-b8fe18cf3d5a).

Moreover, the “SE_SECURITY_NAME” privilege is defined as managing auditing and the security log (https://jeffpar.github.io/kbarchive/kb/188/Q188855/). We can use “SetNamedSecurityInfoA”/”SetNamedSecurityInfoW” (https://learn.microsoft.com/en-us/windows/win32/api/aclapi/nf-aclapi-setnamedsecurityinfow) or “GetNamedSecurityInfoA”/”GetNamedSecurityInfoW” in order to access the SACL. Those functions enable the “SE_SECURITY_NAME” privilege.

Lastly, in order to configure an SACL on a securable object like a file/directory we go to its properties and then we go to the “security tab”. In the “security tab” we need to press the “Advanced” button — as shown in the screenshot below. In the advanced security setting we can go to the “auditing tab” — also shown in the screenshot below.

See you next time ;-) You can also follow me on twitter — @boutnaru (https://twitter.com/boutnaru).