DACL Overview
Within the Windows security ecosystem, tokens
identify the security context of a process or a thread and security descriptors
contain the security information associated with an object. To achieve Confidentiality
, many operating systems and directory services utilize access control lists
(ACLs
): a mechanism that implements access control for a system resource by enumerating the system entities that are permitted to access the resource and stating, either implicitly or explicitly, the access modes granted to each entity.
Access control policies dictate what types of access are permitted, under what circumstances, and by whom. The four general categories of access control policies are:
DAC - Discretionary access control: controls access based on the requestor's identity and access rules stating what requestors are allowed to do. It is discretionary because an entity might have access rights that permit it, by its own volition, to enable another entity to access some resource
MAC - Mandatory access control: the entity having access to a resource may not, just by its own volition, enable another entity to access that resource
RBAC - Role-based access control
ABAC - Attribute-based access control
Windows is an example of a DAC
operating system, which utilizes Discretionary access control lists or DACLs. witch are part of the bigger picture of security descriptors.
Security Descriptors
In Windows, every object (also known as securable objects) has a security descriptor data structure that specifies who can perform what actions on the object.
Only four of the seven members of the SECURITY_DESCRIPTOR
struct matter to us for the exploitation of DACLs.
The security descriptor
is a binary data structure that can contain six main fields:
Revision Number: the SRM (Security Reference Monitor) version of the security model used to create the descriptor
Control Flags: optional modifiers that define the behavior/characteristics of the security descriptor
Owner SID: the object's owner SID
Group SID: the object's primary group SID - only the Windows POSIX subsystem utilized this member (before being discontinued), and most AD environments now ignore it
Discretionary access control list: specifies who has what access to the object - throughout the
DACL Attacks
mini-modules, our primary focus will be abusing and attacking theseSystem access control list or SACL: specifies which operations by which users should be logged in the security audit log and the explicit integrity level of an object
We are interested in the Control, Owner, Sacl and Dacl fields.
A security descriptor
can be one of two forms:
absolute security descriptors: contain pointers to the information, as in the
SECURITY_DESCRIPTOR
struct above, and these are the ones that we will encounter when interacting with Windows objects, whether AD ones or not
Self-relative security descriptors are not very different: instead of storing pointers, they store the actual data of a security descriptor in a contiguous memory block -these are meant to store a security descriptor on a disk or transmit it over the wire
Control Field
The Control member is of type SECURITY_DESCRIPTOR_CONTROL, a 16-bit set of bit flags that qualify the meaning of a security descriptor or its components. The value of Control, when retrieved with the function GetSecurityDescriptorControl, can include a combination of 13 bits flags:
These binary flags can be added to represent any combinations - for example, if the value of Control
is 0x8014
, it signifies the presence of the SE_DACL_PRESENT
, SE_SACL_PRESENT
, and SE_SELF_RELATIVE
flags.
Owner Field
The Owner and Group members contain a pointer to the Security Identifier of the object's owner and primary group, respectively. Object owners are always granted full control of the security descriptor, as they are granted the access rights RIGHT_WRITE_DAC
(WriteDacl) and RIGHT_READ_CONTROL
(ReadControl) implicitly.
SACL and DACL Fields
In Windows, SACL
(System access control list
) and DACL
(Discretionary access control lists
) are the two types of access control lists
(ACLs
), each consisting of a header
and zero or more access control entries
(ACEs
). (Throughout security literature, when the term ACL
is used, it usually refers to DACL
, especially for Windows systems.)
A SACL contains ACEs
that dictate the types of access attempts that generate audit records in the security event log
of a domain controller; therefore, a SACL
allows administrators to log access attempts to securable objects
. There are two types of ACEs
within a SACL
, system audit
ACEs
and system audit-object
ACEs
.
While a DACL
holds ACEs
that dictate what principals have control rights over a specific object. Internally within Windows, a DACL
consists of an ACL followed by an ordered list of zero or more ACEs
(the same applies to SACLs
). Below is the struct definition of an ACL
(recognizing these struct definitions will help us later on when viewing a security descriptor
from the kernel's point of view):
Generic and Object-specific ACEs
An ACE contains a set of user rights and a SID that identifies a principal for whom the rights are allowed, denied, or audited
In a DACL, there can be nine types of ACEs, each having the struct ACE_HEADER
as a member, in addition to the Mask member (which is of type ACCESS_MASK and defines the standard, specific, and generic rights) and SidStart
(which holds the first 32 bits of the trustee's SID
):
but the most important are the following
Some ACEs include the keyword Object
, these are object-specific ACEs used only within Active Directory. In addition to the members of generic ACEs structure, object-specific ACEs contain the members:
ObjectType
: AGUID
containing a type of child object, a property set or property, an extended right, or a validated writeInheritedObjectType
: Specifies the type of child object that can inherit the ACEFlags
: Indicates whether the membersObjectType
andInheritedObjectType
are present via a set of bit flags
Interpret Access Masks
We mentioned that all ACE data structures (such as ACCESS_ALLOWED_ACE) contain the Mask
member, which is of type ACCESS_MASK
: a 32-bit value that specifies the allowed or denied rights to manipulate an object
How do we interpret access masks and their bits?
Generic access rights bits
Standard Access Rights Bits
Object-specific Access Rights Bits
Extended (Object-specific) Access Rights
Validated Writes
Last updated