Get a glimpse inside Paul Cooke's e-book "The definitive guide to Windows 2000 security" with this series of book excerpts, courtesy of Realtimepublishers.com. This excerpt is from Chapter 5, "Configuring access control." Click for the book excerpt series or get the full e-book.
I've talked a bit about the inheritance of ACEs, but not about how this process actually occurs. ACE inheritance is the process by which the ACEs in the ACL of a parent object are propagated to the ACL of a child object. Inherited ACEs aren't always recomputed but are instead propagated from the parent object to the child object in the following circumstances:
- When a new child object is created
- When the DACL of the parent object is modified.
- When the SACL of the parent object is modified.
Whenever one of these events happens, Windows 2000 must re-evaluate the inheritance of ACEs. One of the things that you need to be aware of when this re-evaluation occurs is that a container object may carry an ACL that isn't effective on the container itself but is there only to be inherited down the chain. When this configuration occurs, the ACEs are inherited down the object hierarchy until they can be applied to a non-container object. They then become effective ACEs for that object.
Because an object can inherit ACEs and have explicit ACEs applied directly to it, the specific order that ACEs are processed becomes important. Windows 2000 manages the order of ACEs by putting them into what is known as canonical order, as shown in Figure 5.13.
Figure 5.13: The canonical order of ACEs.
Although this figure gives you an idea of what canonical order is, it's best described by these three simple rules:
1. Explicit ACEs are grouped before any inherited ACEs.
2. Within a group of explicit ACEs, access-denied ACEs are placed before access-allowed ACEs.
3. Inherited ACEs are ordered in the same way in which they're inherited. Inherited parent ACEs come first, followed by grandparent ACEs, and so on.
By placing ACEs in canonical order, you can be assured of two things.
- Explicit ACEs are evaluated before inherited ACEs -- The owner of a child object really has control over the object's access, rather the object's parent having control. Thus, you can define permissions on an object that modify the effects of inherited permissions.
- Access-denied ACEs are evaluated before access-allowed ACEs -- You can allow access to a large number of users while denying access to a subset of the group.
Click for the next excerpt in this series: Security descriptors
Click for the book excerpt series or get the full e-book.