The Security Descriptor Definition Language of Love (Part 2)

Hi. Jim here from DS here with a follow up to my SDDL blog part I. At the end of my last post I promised to dissect further the SDDL output returned by running the CACLS with the /S switch on tools share as follows:

clip_image002

Here is the output exported to a .txt file:

"D:AI(D;OICI;FA;;;BG)(A;;FA;;;BA)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIIOID;GA;;;CO)(A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A;CIID;DC;;;BU)"

Let’s examine the first segment more closely: "D:AI(D;OICI;FA;;;BG)(A;;FA;;;BA)

jim1

Now the second ACE segment: (A;:FA;;;BA)

jim2

jim3

You get the picture. There is a chart provided at the end which contains all the acronyms in addition to the ones illustrated in this output.

At this point you may be asking why there are there two different ACE entries for Built-in Administrators. The first ACE indicates the ACE applied directly to the object (In this case TOOLS for the BA’s). The second ACE indicates the ACE’s for this object that flow down from TOOLS via inheritance.

This is illustrated in the Permissions tab of Advanced Security Settings for the TOOLS share:

clip_image002[5]

Now you may well be wondering “Jim, how can I use this SDDL wonderment to make my administrative tasks less tedious?"

Well here is an example on how you can do just that.

Scenario: Its Friday at 3pm. You have to deploy 10 printers to the call center. Every single printer should have the exact same security settings for access (oversimplified yes, but you get the point). You need to get this done expediently so as not to miss happy hour. All the printers are IP’d and are installed on your print server. You have applied the necessary security on one printer as follows:

clip_image004

Using the SETPRINTER utility you can view the security applied in SDDL format as follows:

clip_image006

Here is the command as well as the output:

C:\>setprinter -show \\2003dom-member\printer1 3

pSecurityDescriptor="O:BAG:DUD:(A;;LCSWSDRCWDWO;;;BA)(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2604)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;CIIO;RC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;LCSWSDRCWDWO;;;PU)(A;OIIO;RPWPSDRCWDWO;;;PU)"

Now create yourself a .CMD file containing the following parameters remembering of course to substitute your Print server name and your printer names where indicated. Also be sure NOT to wrap your SDDL parameters as below. This is done here purely for readability. The entire command should be on one line :

setprinter \\”Print_Server_Name”\printer1 3 pSecurityDescriptor="O:BAG:DUD:(A;;LCSWSDRCWDWO;;;BA)(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2604)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;CIIO;RC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;LCSWSDRCWDWO;;;PU)(A;OIIO;RPWPSDRCWDWO;;;PU)"

setprinter \\”Print_Server_Name”\printer2 3 pSecurityDescriptor="O:BAG:DUD:(A;;LCSWSDRCWDWO;;;BA)(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2604)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;CIIO;RC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;LCSWSDRCWDWO;;;PU)(A;OIIO;RPWPSDRCWDWO;;;PU)"

setprinter \\”Print_Server_Name”\printer3 3 pSecurityDescriptor="O:BAG:DUD:(A;;LCSWSDRCWDWO;;;BA)(A;OIIO;RPWPSDRCWDWO;;;BA)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2604)(A;CIIO;RC;;;CO)(A;OIIO;RPWPSDRCWDWO;;;CO)(A;CIIO;RC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;OIIO;RPWPSDRCWDWO;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;SWRC;;;S-1-5-21-329599412-2737779004-1408050790-2605)(A;;LCSWSDRCWDWO;;;PU)(A;OIIO;RPWPSDRCWDWO;;;PU)"

end

exit

 

 

 

 

 

You may add as many similarly configured printers as you like.

Included below are charts for the acronyms of the SDDL taken directly from MSDN2. These can also be viewed here:

https://msdn2.microsoft.com/en-us/library/aa374928.aspx

ACE Type

The ACE type designates whether the trustee is allowed, denied or audited.

Value

Description

"A"

ACCESS ALLOWED

"D"

ACCESS DENIED

"OA"

OBJECT ACCESS ALLOWED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).

"OD"

OBJECT ACCESS DENIED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).

"AU"

SYSTEM AUDIT

"A"

SYSTEM ALARM

"OU"

OBJECT SYSTEM AUDIT

"OL"

OBJECT SYSTEM ALARM

INHERITANCE Flags

"P SDDL_PROTECTED Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" SDDL_AUTO_INHERITED Inheritance is allowed, assuming that "P" Is not also set.
"AR" SDDL_AUTO_INHERIT_REQ Child objects inherit permissions from this object.

ACE Flags The ACE flags denote the inheritance options for the ACE, and if it is a SACL, the audit settings.

Value

Description

"CI"

CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.

"OI"

OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.

"NP"

NO PROPAGATE: ONLY IMMEDIATE CHILDREN INHERIT THIS ACE.

"IO"

INHERITANCE ONLY: ACE DOESN'T APPLY TO THIS OBJECT, BUT MAY AFFECT CHILDREN VIA INHERITANCE.

"ID"

ACE IS INHERITED

"SA"

SUCCESSFUL ACCESS AUDIT

"FA"

FAILED ACCESS AUDIT

Permissions

The Permissions are a list of the incremental permissions given (or denied/audited) to the trustee-these correspond to the permissions discussed earlier and are simply appended together. However, the incremental permissions are not the only permissions available. The table below lists all the permissions.

Value

Description

Generic access rights

"GA"

GENERIC ALL

"GR"

GENERIC READ

"GW"

GENERIC WRITE

"GX"

GENERIC EXECUTE

Directory service access rights

"RC"

Read Permissions

"SD"

Delete

"WD"

Modify Permissions

"WO"

Modify Owner

"RP"

Read All Properties

"WP"

Write All Properties

"CC"

Create All Child Objects

"DC"

Delete All Child Objects

"LC"

List Contents

"SW"

All Validated Writes

"LO"

List Object

"DT"

Delete Subtree

"CR"

All Extended Rights

File access rights

"FA"

FILE ALL ACCESS

"FR"

FILE GENERIC READ

"FW"

FILE GENERIC WRITE

"FX"

FILE GENERIC EXECUTE

Registry key access rights

"KA"

KEY ALL ACCESS

"K"

KEY READ

"KW"

KEY WRITE

"KX"

KEY EXECUTE

Object Type and Inherited Object Type
Trustee The Trustee is the SID of the user or group being given access (or denied or audited). Instead of a SID, there are several commonly used acronyms for well-known SIDs. These are listed in the table below:

Value

Description

"AO"

Account operators

"RU"

Alias to allow previous Windows 2000

"AN"

Anonymous logon

"AU"

Authenticated users

"BA"

Built-in administrators

"BG"

Built-in guests

"BO"

Backup operators

"BU"

Built-in users

"CA"

Certificate server administrators

"CG"

Creator group

"CO"

Creator owner

"DA"

Domain administrators

"DC"

Domain computers

"DD"

Domain controllers

"DG"

Domain guests

"DU"

Domain users

"EA"

Enterprise administrators

"ED"

Enterprise domain controllers

"WD"

Everyone

"PA"

Group Policy administrators

"IU"

Interactively logged-on user

"LA"

Local administrator

"LG"

Local guest

"LS"

Local service account

"SY"

Local system

"NU"

Network logon user

"NO"

Network configuration operators

"NS"

Network service account

"PO"

Printer operators

"PS"

Personal self

"PU"

Power users

"RS"

RAS servers group

"RD"

Terminal server users

"RE"

Replicator

"RC"

Restricted code

"SA"

Schema administrators

"SO"

Server operators

"SU"

Service logon user

I hope you have found this entertaining and informative!

- Jim Tierney

The ObjectType is a GUID that Identifies a type of child object, a property or property set or an extended right.  If present it limits the ACE to the object the GUID represents.  For a more verbose explanation of this please visit the following link -

https://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsce_ctl_iunu.mspx?mfr=true

Inherited Object Type contains a GUID that identifies the type of child object that can inherit the ACE. Inheritance is also controlled by the ACE's Inheritance Flags and by any protection against inheritance placed on the child object in its Security Descriptor Control Flags.

Comments

  • Anonymous
    May 08, 2008
    PingBack from http://susanneurich.wordpress.com/2008/05/08/sddl-und-seine-syntax/

  • Anonymous
    August 12, 2008
    Mike here again. Today I’m focusing on policy settings for the Event Logging Service. For clarity, these

  • Anonymous
    September 25, 2008
    В прошлом выпуске я рассказал, как строится строка SDDL, так что мы теперь можем что-то прочитать на...

  • Anonymous
    June 12, 2014
    Pingback from Adding Read-only permissions to Exchange 2007 Auditing Logs | Ilantz's Weblog