This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Security Descriptor Description Language
Security Descriptor Description Language

Version management

Difference between version and

At line 1 added 104 lines
!!! Overview
[{$pagename}] ([SDDL]) [string] defines the [string] format that is used to describe a [Security Descriptor] single sequence of characters. The format can be [ANSI] or [Unicode]; the actual [protocol] [MUST] specify the character set that is used. Regardless of the character set used, the characters that can be used are alphanumeric and punctuation.The format for an SDDL [string] is described by the following [ABNF] (as specified in [RFC 5234]) grammar, where the elements are:
%%prettify
{{{
sddl = [owner-string] [group-string] [dacl-string] [sacl-string] owner-string = "O:" sid-string
group-string = "G:" sid-string
dacl-string = "D:" [acl-flag-string] [aces]
sacl-string = "S:" [acl-flag-string] [aces]
sid-string = sid-token / sid-value
sid-value = SID;defined in section 2.4.2.1
sid-token = "DA"/ "DG" / "DU" / "ED" / "DD" / "DC" / "BA" / "BG" / "BU" /
"LA" / "LG" / "AO" / "BO" / "PO" / "SO" / "AU" / "PS" "PU" / "WD" / "RE" / "IU" / "NU" / "SU" / "RC" / "WR" "RS" / "EA" / "PA" / "RU" / "LS" / "NS" / "RD" / "NO" "CY" / "OW" / "ER" / "RO" / "CD" / "AC" / "RA" / "ES" "CN"/"AA"/"RM"/"LW"/"ME"/"MP"/ "HI"/"SI"
acl-flag-string = *acl-flag
acl-flag = "P" / "AR" / "AI"
/ "CO" /
/ "AN" /
/ "MU" /
/ "MS" /
"CG" / "SY" /
"SA" / "CA" /
"LU" / "IS" /
"UD" / "HA" /
aces = *(ace / conditional-ace / resource-attribute-ace)
ace = "(" ace-type ";" [ace-flag-string] ";" ace-rights ";" [object-guid] ";" [inherit-object-guid] ";" sid-string ")"
ace-type = "A" / "D" / "OA" / "OD" / "AU" / "OU" / "ML" / "SP"
conditional-ace = "(" conditional-ace-type ";" [ace-flag-string] ";" ace-rights
";" [object-guid] ";" [inherit-object-guid] ";" sid-string ";" "(" cond-expr ")" ")"
conditional-ace-type = "XA" / "XD" / "ZA" / "XU"
central-policy-ace = "(" "SP" ";" [ace-flag-string] ";;;;" capid-value-sid")"
capid-value-sid = "S-1-17-" 1*SubAuthority ; SubAuthority defined in section 2.4.2.1
resource-attribute-ace = "(" "RA" ";" [ace-flag-string] ";;;;" ( "WD" /
"S-1-1-0" ) ";(" attribute-data "))"
attribute-data = DQUOTE 1*attr-char2 DQUOTE "," ( TI-attr / TU-attr / TS-attr / TD-attr / TX-attr / TB-attr )
*("," int-64)
*("," uint-64)
*("," char-string)
*("," sid-string)
*("," octet-string)
*("," ( "0" / "1" ) )
"00"] sys-attr-flags / *"0" sys-attr-flags /
TI-attr = "TI" "," attr-flags
TU-attr = "TU" "," attr-flags
TS-attr = "TS" "," attr-flags
TD-attr = "TD" "," attr-flags
TX-attr = "TX" "," attr-flags
TB-attr = "TB" "," attr-flags
attr-flags = "0x" ([*4HEXDIG
*"0" HEXDIG)
sys-attr-flags = ( "0"/ "1" /
ace-flag-string = ace-flag ace-flag-string / "" ace-flag = "CI" / "OI" / "NP" / "IO" / "ID" / "SA" / "FA"
ace-rights = (*text-rights-string) / ("0x" 1*8HEXDIG) / ("0" 1*%x30-37) / (1*DIGIT )
; numeric values must fit within 64 bits
text-rights-string = generic-rights-string / standard-rights-string / object-specific-rights-string
generic-rights-string = generic-right / generic-rights-string / ""
generic-right = "GA" / "GW" / "GR" / "GX"
standard-rights-string = standard-right / standard-rights-string / ""
standard-right = "WO" / "WD" / "RC" / "SD"
object-specific-rights-string = object-specific-right / object-specific- rights-string / ""
object-specific-right = <any object-specific right, for objects like files, registry keys, directory objects, and others>
guid = "" / 8HEXDIG "-" 4HEXDIG "-" 4HEXDIG "-" 4HEXDIG "-" 12HEXDIG
; The second option is the GUID of the object in the form
; "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" Where each "X" is a Hex digit
object-guid = guid
inherit-object-guid = guid
wspace = 1*(%x09-0D / %x20)
term = [wspace] (memberof-op / exists-op / rel-op / contains-op / anyof-op / attr-name / rel-op2) [wspace]
cond-expr = term / term [wspace] ("||" / "&&" ) [wspace] cond-expr / (["!"] [wspace] "(" cond-expr ")")
memberof-op = ( "Member_of" / "Not_Member_of" / "Member_of_Any" / "Not_Member_of_Any" / "Device_Member_of" / "Device_Member_of_Any" / "Not_Device_Member_of" / "Not_Device_Member_of_Any" ) wspace sid-array
exists-op = ( "Exists" / "Not_exists") wspace attr-name
rel-op = attr-name [wspace] ("<" / "<=" / ">" / ">=") [wspace] (attr-name2 / value) ; only scalars
rel-op2 = attr-name [wspace] ("==" / "!=") [wspace] ( attr-name2 / value-array ) ; scalar or list
contains-op = attr-name wspace ("Contains" / "Not_Contains") wspace (attr-name2 / value- array)
anyof-op = attr-name wspace ("Any_of" / "Not_Any_of") wspace (attr-name2 / value-array)
attr-name1 = attr-char1 *(attr-char1 / "@") ; old simple name
attr-char1 = 1*(ALPHA / DIGIT / ":" / "." / "/" / "_")
attr-name2 = ("@user." / "@device." / "@resource.") 1*attr-char2 ; new prefixed name form
attr-char2 = attr-char1 / lit-char
attr-name = attr-name1 / attr-name2
; either name form
sid-array = literal-SID [wspace] / "{" [wspace] literal-SID [wspace] *( "," [wspace] literal- SID [wspace]) "}"
literal-SID = "SID(" sid-string ")"
value-array = value [wspace] / "{" [wspace]
value = int-64 / char-string / octet-string
int-64 = ["+" / "-"] ("0x" 1*HEXDIG) / ("0" ; values must fit within 64 bits in two's
uint-64 = ("0x" 1*HEXDIG) / ("0" 1*%x30-37) ; values must fit within 64 bits
char-string = DQUOTE *(CHAR) DQUOTE octet-string = "#" *(2HEXDIG)
value [wspace] *("," [wspace] value [wspace]) "}"
1*%x30-37) / 1*DIGIT
complement form
/ 1*DIGIT
lit-char = "#" / "$" / "'" / "*" / "+" / "-" / "." / "/" / ":" / ";" / "?" / "@" / "[" / "\" / "]" / "^" / "_" / "`" / "{" / "}" / "~" / %x0080-FFFF /
( "%" 4HEXDIG)
; 4HEXDIG can have any value except 0000 (NULL)
}}}
/%
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Security Descriptor Definition Language|https://docs.microsoft.com/en-us/windows/desktop/SecAuthZ/security-descriptor-definition-language|target='_blank'] - based on information obtained 2018-10-05-
* [#2] - [Security_Descriptor_Definition_Language|Wikipedia:Security_Descriptor_Definition_Language|target='_blank'] - based on information obtained 2018-10-05-
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop