Overview#Security Descriptor (NT-Sec-Desc or nTSecurityDescriptor) is component of the Access Control Model-Microsoft Windows that contains security information specified when it is created, or default security information if none is specified.
Security Descriptor can be modified ONLY after creation.
Security Descriptor structure is a compact binary representation of the security associated with an object in a Microsoft Active Directory or Microsoft Windows as on a File System, or in other Data Stores.
Security Descriptor is not, however, convenient for use in tools that operate primarily on text strings. Therefore, a text-based form of the Security Descriptor is available for situations when a Security Descriptor must be carried by a text method. This format is the Security Descriptor Description Language (SDDL)
Security Descriptor components#A security descriptor includes information that specifies the following components of an object's security:
- OWNER_SECURITY_INFORMATION (OSI) 0x1 which is the Security Identifier (SID)
- GROUP_SECURITY_INFORMATION (GSI) 0x2 which is the PrimaryGroupID SID
- DACL_SECURITY_INFORMATION (DSI) 0x4 which is the Discretionary Access Control List (DACL)
- SACL_SECURITY_INFORMATION (SSI) 0x8 which is the System Access Control List (SACL)
- Qualifiers for the preceding items
An ACL contains a list of Access Control Entry (ACEs). Each Access Control Entry specifies a set of access permissions and contains a Security Identifier (SID) that identifies a trustee for whom the permissions are allowed, denied, or audited. A trustee can be a user account, group account, or logon session.
More Information#There might be more information for this subject on one of the following:
- Access Control Entry
- Access Control List
- Access Control Model-Microsoft Windows
- Discretionary Access Control List
- MS Access Mask
- Relative IDentifier
- Security Descriptor Description Language
- Security Reference Monitor
- System Access Control List