What you will learn:
In this article, we will take a look at what an access control list (ACL) and an access control entry (ACE) are, the components that make up an ACL and ACE, and also dive into the types of ACLs and ACEs, and their purposes.
What are Access Control Lists, and why do we need them?
In an Active Directory network, not all users or computers would require access to all the objects and files in the network. This limitation of access is for security reasons, and critical resources could be misused in case a user in the environment turns rogue, or a computer is breached. Learn more about Active Directory Object Permissions from here. This is where an access control list (ACL) comes into play.
In Active Directory, access control lists are tables, or simple lists, that define the trustees who have access to the object in question, and also what type of access they have. A trustee may be any security principal such as a user account, group, or login session. Each access control list has a set of access control entries, and each ACE defines the trustee and the type of access the trustee has. So, an object can be accessed by multiple trustees since there can be multiple ACEs. Access control lists are also used for auditing purposes, such as recording the number of access attempts to a securable object, and the type of access. A securable object is any named object in Active Directory that contains a security descriptor, which has the security information about the object, which includes ACLs.
Types of Access Control Lists
Following are two types of access control lists, each of which performs one of the two functions of an ACL.
- Discretionary Access Control List (DACL): This ACL defines the access rights of a trustee to the securable object in question. DACLs contain ACEs that are either access allowed ACEs or access denied ACEs. The system checks the DACL to know the level of access authorized to the object when a trustee attempts to access the object. If a securable object does not have any DACL associated with it, then the system will grant full access to all trustees that are trying to access the object. If the DACL is defined for an object, but there are no ACEs inside the DACL, then the system will deny all trustees access to the object.
- System Access Control List (SACL): This ACL generates audit logs that specify whether a trustee was attempting to gain access to an object. It also specifies whether access was granted or denied, and if granted, what type of access was given to the trustee. SACLs contain system audit ACEs.
What is an Access Control Entry?
An access control list contains a list of elements called access control entries. Each access control entry in the ACL names a trustee and defines what type of access the trustee has for the securable object in question. A list of such ACEs in an ACL thus dictates a securable object’s entire access permissions, thereby keeping the object secure from any threat of critical data exposure that might have devastating consequences. Implementation of such security clearance measures keeps the organization secure from potential data breaches or hacks.
Types of access control entries
ACEs are classified into 6 types based on their function. Three of these types are supported by all securable objects. The types of ACEs are as follows:
- Access denied ACE: This ACE is used in a DACL. It indicates that the trustee is denied access to the object. This ACE is supported by securable objects.
- Access allowed ACE: This ACE is also used in a DACL. It indicates that the trustee is allowed access to the object. This ACE is supported by securable objects.
- System audit ACE: This ACE is used in an SACL. It generates an audit log when a trustee attempts to access the object, and it also specifies whether the access was denied or allowed, and what type of access happened. This ACE is supported by securable objects.
The following three ACEs are not supported by securable objects. They are called object-specific ACEs, and they are associated with directory service objects.
- Access denied object ACE: Used in a DACL, it indicates that the trustee is denied access to the object’s properties, or it defines the inheritance of this ACE to child objects.
- Access allowed object ACE: Used in a DACL, it indicates that the trustee is allowed access to the object’s properties, or it defines the inheritance of this ACE to child objects.
- System audit object ACE: Used in an SACL, it generates an audit log when a trustee attempts to access the object’s properties by mentioning whether access was denied or allowed, and what type of access happened. Alternatively, it defines the inheritance of this ACE to child objects.
Components of an Access Control Entry
Every access control entry has the following components:
- The security identifier (SID) of a trustee. Each SID is unique to a trustee.
- An access mask, which is a 32-bit value that defines the operations that are either allowed or denied for the trustee.
- A flag that indicates the type of ACE, such as whether it is an access denied ACE, access allowed ACE, or a system audit ACE.
- A set of bit flags that determine if child containers or objects can inherit the ACE from their primary object or parent.
Why the order of Access Control Entries are important
When the system checks an access control list for access permissions, it checks the ACLs in sequence until it finds access denied or allowed ACE, and then grants or rejects access to the trustee accordingly. So, it is important to specify denied access ACEs before specifying ACEs that allow access.
For example, you want to grant access to a shared folder to a group, but you do not want one member of the group to have access. In this case, you would define access denied ACE first for the group member, and then access allowed ACE for the group in the ACL. By default, access-denied ACEs are listed first followed by access allowed ACEs in an ACL.
Active Directory Rights Management Services (AD RMS)