LDAPWiki: Security Descriptor

Overview#

Security Descriptor (NT-Sec-Desc or nTSecurityDescriptor) is component of the Access Control Model-Microsoft Windows that contains security information specified when it is created, or default security information if none is specified.Security Descriptor is on every Securable object and is pre-defined for the Object type or it can be modified ONLY after creation.

Security Descriptor structure is a compact binary representation for the security associated with a Securable object such as a Microsoft Active Directory or Microsoft Windows as on a File System.

Security Descriptor is not, however, convenient for use in tools that operate primarily on text strings. Therefore, a text-based form of the Security Descriptor is available for situations when a Security Descriptor must be carried by a text method. This format is the Security Descriptor Description Language (SDDL)

Security Descriptor components#

A security descriptor includes information that specifies the following components of an object's security:

OWNER_SECURITY_INFORMATION (OSI) 0x1 which is the Security Identifier (SID)
GROUP_SECURITY_INFORMATION (GSI) 0x2 which is the PrimaryGroupID SID
DACL_SECURITY_INFORMATION (DSI) 0x4 which is the Discretionary Access Control List (DACL)
SACL_SECURITY_INFORMATION (SSI) 0x8 which is the System Access Control List (SACL)
Qualifiers for the preceding items

An ACL contains a list of Access Control Entry (ACEs). Each Access Control Entry specifies a set of access permissions and contains a Security Identifier (SID) that identifies a trustee for whom the permissions are allowed, denied, or audited. A trustee can be a user account, group account, or logon session.

Security Descriptor maybe modified or read using LDAP by making use of the LDAP_SERVER_SD_FLAGS_OID SupportedControl!! More Information There might be more information for this subject on one of the following:

[#1] - 6.1.3.2 SD Flags Control - based on information obtained 2019-02-28-