Windows Internals

Guided path: Security deep dive

Step 3 of 5

Continue to Access checks & Security Reference Monitor
intermediateOpen lab →

Security descriptors & ACLs

Owners, DACL/SACL, ACE ordering, and the object-side policy Windows enforces.

Related labs

Hands-on exercises for this area — in the browser or on a Windows machine.

ACL & SDDL Lab

Paste SDDL or pick samples, then see owner, DACL, SACL, and ACE meaning in plain language.

Open lab

Access check simulator

Step through a simplified DACL vs token decision — same rules as the real algorithm, fewer edge cases.

Open lab
View all labs

Official Microsoft docs

Closest official references related to this topic on Microsoft Learn.

Microsoft Learn

Security descriptors

learn.microsoft.com

Microsoft Learn

Access control lists (ACLs)

learn.microsoft.com

Microsoft Learn

How AccessCheck works (DACL evaluation)

learn.microsoft.com

Why it matters

Tokens describe identity, but descriptors describe the object. Understanding DACL/SACL is the fastest way to make sense of 'why access was denied' across files, registry, processes, and services.

Mental model

A security descriptor is the rulebook attached to an object: who owns it, who can do what (DACL), and what should be audited (SACL).

Go one level deeper

Extra detail for readers who want more precision before opening a child topic.

  • SDDL strings (O:, G:, D:, S:) are a compact serialization of security descriptors.
  • Inheritance flags on ACEs control how child objects receive default security.

How it works

  1. 1A security descriptor can include an owner SID and two ACLs: DACL (authorization) and SACL (auditing).
  2. 2Each ACL is an ordered list of ACEs that allow, deny, or audit specific rights for specific trustees.
  3. 3DACL behavior has sharp edges: missing DACL vs empty DACL lead to very different outcomes.

Key terms

Security descriptor
The security metadata attached to a securable object.
DACL
Discretionary ACL controlling allow/deny for access rights.
SACL
System ACL controlling audit rules written to the security log.

Missing DACL vs empty DACL

No DACL means 'no policy here' (access checks succeed). An empty DACL means 'nobody is allowed' (everything is denied).

Common misconception

People treat ACLs as unordered lists. ACE order matters because the access check stops when the requested access becomes fully allowed or explicitly denied.

Guided exercise

Use this topic to move from theory into practice.

Open lab
  • 1In ACL Lab, compare the three samples: no DACL, empty DACL, and typical file DACL.
  • 2Identify which trustee SIDs (BA, AU, SY) appear in each ACE.

You should read next

Ranked from your current topic, related links, branch depth, and any active guided path.

expert

Access checks & Security Reference Monitor

How Windows actually decides allow/deny using tokens, descriptors, and SRM routines.

Next step in your guided path

intermediate

Kernel objects

Handles, object manager, names, and reference counting basics.

Related topic

beginner

Registry & configuration

How Windows stores system and application configuration in hierarchical hives.

Related topic

Related topics

Kernel objects

Handles, object manager, names, and reference counting basics.

Registry & configuration

How Windows stores system and application configuration in hierarchical hives.

File systems

NTFS and friends translating raw storage into directories, files, and metadata.

Previous

Access tokens

SIDs, privileges, impersonation, and the identity payload every process carries.

Next

Access checks & Security Reference Monitor

How Windows actually decides allow/deny using tokens, descriptors, and SRM routines.