Overview#Security Descriptor (NT-Sec-Desc or nTSecurityDescriptor) is component of the Access Control Model-Microsoft Windows that contains security information specified when it is created, or default security information if none is specified.
Security Descriptor is on every Securable object and is pre-defined for the Object type or it can be modified ONLY after creation.
Security Descriptor is not, however, convenient for use in tools that operate primarily on text strings. Therefore, a text-based form of the Security Descriptor is available for situations when a Security Descriptor must be carried by a text method. This format is the Security Descriptor Description Language (SDDL)
Security Descriptor components#A security descriptor includes information that specifies the following components of an object's security:
- OWNER_SECURITY_INFORMATION (OSI) 0x1 which is the Security Identifier (SID)
- GROUP_SECURITY_INFORMATION (GSI) 0x2 which is the PrimaryGroupID SID
- DACL_SECURITY_INFORMATION (DSI) 0x4 which is the Discretionary Access Control List (DACL)
- SACL_SECURITY_INFORMATION (SSI) 0x8 which is the System Access Control List (SACL)
- Qualifiers for the preceding items
An ACL contains a list of Access Control Entry (ACEs). Each Access Control Entry specifies a set of access permissions and contains a Security Identifier (SID) that identifies a trustee for whom the permissions are allowed, denied, or audited. A trustee can be a user account, group account, or logon session.
More Information#There might be more information for this subject on one of the following:
- Access Control Entry
- Access Control List
- Access Control Model-Microsoft Windows
- Discretionary Access Control List
- MS Access Mask
- Relative IDentifier
- Securable object
- Security Descriptor Description Language
- Security Reference Monitor
- System Access Control List