If
you’ve ever worked with Windows NT or Windows 2000 security, you’re
probably already familiar with the concept of the access control
list, or ACL. (ACL is often pronounced "ACK-el.") However, you might
not know that there are actually three types of ACLs. Each ACL has
its own purpose, but they work collectively to form a system’s
overall security policy. I'm going to discuss each type of ACL,
explaining the differences and similarities between
them.ACLs
In Windows 2000, an ACL refers to the list of users and groups that have access to a particular file or folder on an NTFS file system. When you right-click on a file or folder and select the Properties command from the resulting context menu, you’ll see the file or folder’s properties sheet. If you then select the Security tab, you’ll see a list of users and groups and a list of permissions, as shown in Figure A. This is the ACL for the object.
| Figure A |
 |
| The ACL controls which user has file-level permissions to a file or folder. |
As we mentioned earlier, the various types of ACLs work together to form the overall security policy—and we'll see how a bit later. For now, though, think of the ACL as the last line of security between users and resources. The ACL is used to assign permissions directly to files and folders. These permissions function independently of any permissions that may be set elsewhere, such as to network share points or through the Active Directory. In essence, if a user is granted access to a file or folder through the ACL, the user will be able to access the file or folder as long as other permissions in the system don’t restrict access. On the other hand, if a user is specifically denied access to a file or folder by means of an ACL entry, there’s no way that the system will ever allow the user to access that file or folder, regardless of what level of permissions have been assigned elsewhere.
DACLs
Another type of access control list is the discretionary access control list (DACL). A DACL is attached to the Active Directory rather than being attached to the NTFS file system. A DACL is made up of a list of users and groups that have permissions to a particular object within the Active Directory. Items on the DACL are called access control entries (ACEs). An ACE is composed of a user, group, or computer name combined with the individual permissions that the user, group, or computer has to the Active Directory object. The DACL is the sum total of the ACEs. You can see an example of a DACL and its associated ACEs in Figure B.
| Figure B |
 |
| A DACL is responsible for assigning permissions to Active Directory objects. |
One important thing that you should know about DACLs is that there’s a substantial difference between an empty DACL and a nonexistent DACL. If an object’s DACL is empty, it indicates that no one except for the object’s owner has access to the object. However, if an object simply doesn’t have a DACL, Windows 2000 interprets it to mean that there are no security restrictions on the object and that everyone should have full control over the object. The vast majority of Active Directory objects have DACLs, so an object without a DACL should be a rare occurrence.
Play video
There are currently no comments for this post.