A brief summary of the various versions of the Security Descriptor Definition Language (SDDL)
The Security Descriptor Definition Language (SDDL) was introduced in Windows 2000 to provide a textual representation for security descriptors. Prior to its introduction, security descriptors were typically represented as hex bytes, which was not particularly readable or editable.
Although the only defined revision number is 1, there have actually been quite a few revisions to the Security Descriptor Definition Language, which makes you wonder what that version number was for. The fact that the version number hasn’t changed when the language changed means that if you call ConvertÂSecurityÂDescriptorÂToÂStringÂSecurityÂDescriptor, you will get a string security descriptor that works on the version of Windows that generated it, but it may not work on older versions of Windows, because the older versions may not support some of the newer features.
Oops.
Okay, so here’s a history of the Security Descriptor Definition Language, in table form.
SDDL Component Tags
| Code | Meaning Symbol |
Introduced |
|---|---|---|
| O | OwnerSDDL_OWNEROWNER_SECURITY_INFORMATION |
Windows 2000 |
| G | GroupSDDL_GROUPGROUP_SECURITY_INFORMATION |
|
| D | DACLSDDL_DACLDACL_SECURITY_INFORMATION |
|
| S | SACLSDDL_SACLSACL_SECURITY_INFORMATION |
SDDL Security Descriptor Controls
| Code | Meaning | Introduced |
|---|---|---|
| P | ProtectedSDDL_PROTECTEDSE_DACL_PROTECTEDSE_SACL_PROTECTED |
Windows 2000 |
| AR | Auto inherit requestSDDL_AUTO_INHERIT_REQSE_DACL_AUTO_INHERIT_REQSE_SACL_AUTO_INHERIT_REQ |
|
| AI | Auto inheritedSDDL_AUTO_INHERITEDSE_DACL_AUTO_INHERITEDSE_SACL_AUTO_INHERITED |
|
| NO_ACCESS_CONTROL | Null ACLSDDL_NULL_ACL |
Windows 7 |
SDDL ACE Types
| Code | Meaning | Introduced |
|---|---|---|
| A | Access allowedSDDL_ACCESS_ALLOWEDACCESS_ALLOWED_ACE_TYPE |
Windows 2000 |
| D | Access deniedSDDL_ACCESS_DENIEDACCESS_DENIED_ACE_TYPE |
|
| OA | Object access allowedSDDL_OBJECT_ACCESS_ALLOWEDACCESS_ALLOWED_OBJECT_ACE_TYPE |
|
| OD | Object access deniedSDDL_OBJECT_ACCESS_DENIEDACCESS_DENIED_OBJECT_ACE_TYPE |
|
| AU | AuditSDDL_AUDITSYSTEM_AUDIT_ACE_TYPE |
|
| AL | AlarmSDDL_ALARMSYSTEM_ALARM_ACE_TYPE |
|
| OU | Object auditSDDL_OBJECT_AUDITSYSTEM_AUDIT_OBJECT_ACE_TYPE |
|
| OL | Object alarmSDDL_OBJECT_ALARMSYSTEM_ALARM_OBJECT_ACE_TYPE |
|
| ML | Integrity labelSDDL_MANDATORY_LABELSYSTEM_MANDATORY_LABEL_ACE_TYPE |
Windows Vista |
| XA | Callback access allowedSDDL_CALLBACK_ACCESS_ALLOWEDACCESS_ALLOWED_CALLBACK_ACE_TYPE |
Windows 7 |
| XD | Callback access deniedSDDL_CALLBACK_ACCESS_DENIEDACCESS_DENIED_CALLBACK_ACE_TYPE |
|
| RA | Resource attributeSDDL_RESOURCE_ATTRIBUTESYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE |
Windows 8 |
| SP | Scoped policySDDL_SCOPED_POLICY_IDSYSTEM_SCOPED_POLICY_ID_ACE_TYPE |
|
| XU | Callback auditSDDL_CALLBACK_AUDITSYSTEM_AUDIT_CALLBACK_ACE_TYPE |
|
| ZA | Callback object access allowedSDDL_CALLBACK_OBJECT_ACCESS_ALLOWEDACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE |
|
| TL | Process trust labelSDDL_PROCESS_TRUST_LABELSYSTEM_PROCESS_TRUST_LABEL_ACE_TYPE |
Windows 8.1 |
| FL | Access filterSDDL_ACCESS_FILTERSYSTEM_ACCESS_FILTER_ACE_TYPE |
Windows 10 Version 1703 |
SDDL Resource attribute ACE data types
| Code | Meaning | Introduced |
|---|---|---|
| TI | Signed integerSDDL_INTCLAIM_SECURITY_ATTRIBUTE_TYPE_INT64 |
Windows 8 |
| TU | Unsigned integerSDDL_UINTCLAIM_SECURITY_ATTRIBUTE_TYPE_UINT64 |
|
| TS | Wide stringSDDL_WSTRINGCLAIM_SECURITY_ATTRIBUTE_TYPE_STRING |
|
| TD | SIDSDDL_SIDCLAIM_SECURITY_ATTRIBUTE_TYPE_SID |
|
| TX | Octet stringSDDL_BLOBCLAIM_SECURITY_ATTRIBUTE_TYPE_OCTET_STRING |
|
| TB | BooleanSDDL_BOOLEANCLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN |
SDDL ACE flags
| Code | Meaning | Introduced |
|---|---|---|
| CI | Container inheritSDDL_CONTAINER_INHERITCONTAINER_INHERIT_ACE |
Windows 2000 |
| OI | Object inheritSDDL_OBJECT_INHERITOBJECT_INHERIT_ACE |
|
| NP | Inherit no propagateSDDL_NO_PROPAGATENO_PROPAGATE_INHERIT_ACE |
|
| IO | Inherit onlySDDL_INHERIT_ONLYINHERIT_ONLY_ACE |
|
| ID | InheritedSDDL_INHERITEDINHERITED_ACE |
|
| SA | Audit successSDDL_AUDIT_SUCCESSSUCCESSFUL_ACCESS_ACE_FLAG |
|
| FA | Audit failureSDDL_AUDIT_FAILUREFAILED_ACCESS_ACE_FLAG |
|
| TP | Trust protected filterSDDL_TRUST_PROTECTED_FILTERTRUST_PROTECTED_FILTER_ACE_FLAG |
Windows 10 Version 1703 |
| CR | CriticalSDDL_CRITICALCRITICAL_ACE_FLAG |
Windows 10 Version 1809 |
SDDL access rights
| Code | Meaning | Applies to | Introduced |
|---|---|---|---|
| RP | ACTRL_DS_READ_PROPSDDL_READ_PROPERTY |
Directory services |
Windows 2000 |
| WP | ACTRL_DS_WRITE_PROPSDDL_WRITE_PROPERTY |
||
| CC | ACTRL_DS_CREATE_CHILDSDDL_CREATE_CHILD |
||
| DC | ACTRL_DS_DELETE_CHILDSDDL_DELETE_CHILD |
||
| LC | ACTRL_DS_LISTSDDL_LIST_CHILDREN |
||
| SW | ACTRL_DS_SELFSDDL_SELF_WRITE |
||
| LO | ACTRL_DS_LIST_OBJECTSDDL_LIST_OBJECT |
||
| DT | ACTRL_DS_DELETE_TREESDDL_DELETE_TREE |
||
| CR | ACTRL_DS_CONTROL_ACCESSSDDL_CONTROL_ACCESS |
||
| RC | READ_CONTROLSDDL_READ_CONTROL |
Anything | |
| WD | WRITE_DACSDDL_WRITE_DAC |
||
| WO | WRITE_OWNERSDDL_WRITE_OWNER |
||
| SD | DELETESDDL_STANDARD_DELETE |
||
| GA | GENERIC_ALLSDDL_GENERIC_ALL |
||
| GR | GENERIC_READSDDL_GENERIC_READ |
||
| GW | GENERIC_WRITESDDL_GENERIC_WRITE |
||
| GX | GENERIC_EXECUTESDDL_GENERIC_EXECUTE |
||
| FA | FILE_ALL_ACCESSSDDL_FILE_ALL |
Files and folders |
|
| FR | FILE_GENERIC_READSDDL_FILE_READ |
||
| FW | FILE_GENERIC_WRITESDDL_FILE_WRITE |
||
| FX | FILE_GENERIC_EXECUTESDDL_FILE_EXECUTE |
||
| KA | KEY_ALL_ACCESSSDDL_KEY_ALL |
Registry keys |
|
| KR | KEY_READSDDL_KEY_READ |
||
| KW | KEY_WRITESDDL_KEY_WRITE |
||
| KX | KEY_EXECUTESDDL_KEY_EXECUTE |
||
| NW | SYSTEM_MANDATORY_LABEL_NO_WRITE_UPSDDL_NO_WRITE_UP |
Mandatory label ACE |
Windows 7 |
| NR | SYSTEM_MANDATORY_LABEL_NO_READ_UPSDDL_NO_READ_UP |
||
| NX | SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UPSDDL_NO_EXECUTE_UP |
SDDL users and groups
| Tag | Meaning | Introduced |
|---|---|---|
| DA | Domain adminsSDDL_DOMAIN_ADMINISTRATORSDOMAIN_GROUP_RID_ADMINS |
Windows 2000 |
| DG | Domain guestsSDDL_DOMAIN_GUESTSDOMAIN_GROUP_RID_GUESTS |
|
| DU | Domain usersSDDL_DOMAIN_USERSDOMAIN_GROUP_RID_USERS |
|
| ED | Enterprise domain controllersSDDL_ENTERPRISE_DOMAIN_CONTROLLERSSECURITY_SERVER_LOGON_RID |
|
| DD | Domain domain controllersSDDL_DOMAIN_DOMAIN_CONTROLLERSDOMAIN_GROUP_RID_CONTROLLERS |
|
| DC | Domain computersSDDL_DOMAIN_COMPUTERSDOMAIN_GROUP_RID_COMPUTERS |
|
| BA | Local administratorsSDDL_BUILTIN_ADMINISTRATORSDOMAIN_ALIAS_RID_ADMINS |
|
| BG | Local guestsSDDL_BUILTIN_GUESTSDOMAIN_ALIAS_RID_GUESTS |
|
| BU | Local usersSDDL_BUILTIN_USERSDOMAIN_ALIAS_RID_USERS |
|
| LA | Local administrator accountSDDL_LOCAL_ADMINDOMAIN_USER_RID_ADMIN |
|
| LG | Local guest accountSDDL_LOCAL_GUESTDOMAIN_USER_RID_GUEST |
|
| AO | Account operatorsSDDL_ACCOUNT_OPERATORSDOMAIN_ALIAS_RID_ACCOUNT_OPS |
|
| BO | Backup operatorsSDDL_BACKUP_OPERATORSDOMAIN_ALIAS_RID_BACKUP_OPS |
|
| PO | Printer operatorsSDDL_PRINTER_OPERATORSDOMAIN_ALIAS_RID_PRINT_OPS |
|
| SO | Server operatorsSDDL_SERVER_OPERATORSDOMAIN_ALIAS_RID_SYSTEM_OPS |
|
| AU | Authenticated usersSDDL_AUTHENTICATED_USERSSECURITY_AUTHENTICATED_USER_RID |
|
| PS | Personal selfSDDL_PERSONAL_SELFSECURITY_PRINCIPAL_SELF_RID |
|
| CO | Creator ownerSDDL_CREATOR_OWNERSECURITY_CREATOR_OWNER_RID |
|
| CG | Creator groupSDDL_CREATOR_GROUPSECURITY_CREATOR_GROUP_RID |
|
| SY | Local systemSDDL_LOCAL_SYSTEMSECURITY_LOCAL_SYSTEM_RID |
|
| PU | Power usersSDDL_POWER_USERSDOMAIN_ALIAS_RID_POWER_USERS |
|
| WD | Everyone (World)SDDL_EVERYONESECURITY_WORLD_RID |
|
| RE | ReplicatorSDDL_REPLICATORDOMAIN_ALIAS_RID_REPLICATOR |
|
| IU | Interactive logon userSDDL_INTERACTIVESECURITY_INTERACTIVE_RID |
|
| NU | Nework logon userSDDL_NETWORKSECURITY_NETWORK_RID |
|
| SU | Service logon userSDDL_SERVICESECURITY_SERVICE_RID |
|
| RC | Restricted codeSDDL_RESTRICTED_CODESECURITY_RESTRICTED_CODE_RID |
|
| SA | Schema administratorsSDDL_SCHEMA_ADMINISTRATORSDOMAIN_GROUP_RID_SCHEMA_ADMINS |
|
| CA | Certificate server administratorsSDDL_CERT_SERV_ADMINISTRATORSDOMAIN_GROUP_RID_CERT_ADMINS |
|
| RS | RAS servers groupSDDL_RAS_SERVERSDOMAIN_ALIAS_RID_RAS_SERVERS |
|
| EA | Enterprise administratorsSDDL_ENTERPRISE_ADMINSDOMAIN_GROUP_RID_ENTERPRISE_ADMINS |
|
| PA | Group Policy administratorsSDDL_GROUP_POLICY_ADMINSDOMAIN_GROUP_RID_POLICY_ADMINS |
|
| RU | Compatibility for pre-Windows 2000 accountsSDDL_ALIAS_PREW2KCOMPACCDOMAIN_ALIAS_RID_PREW2KCOMPACCESS |
|
| AN | Anonymous logonSDDL_ANONYMOUSSECURITY_ANONYMOUS_LOGON_RID |
Windows XP |
| LS | Local service accountSDDL_LOCAL_SERVICESECURITY_LOCAL_SERVICE_RID |
|
| NS | Network service accountSDDL_NETWORK_SERVICESECURITY_NETWORK_SERVICE_RID |
|
| RD | Remote desktop usersSDDL_REMOTE_DESKTOPDOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS |
|
| NO | Network configuration operatorsSDDL_NETWORK_CONFIGURATION_OPSDOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS |
|
| MU | Performance Monitor usersSDDL_PERFMON_USERSDOMAIN_ALIAS_RID_MONITORING_USERS |
|
| LU | Performance Log usersSDDL_PERFLOG_USERSDOMAIN_ALIAS_RID_LOGGING_USERS |
|
| WR | Write Restricted codeSDDL_WRITE_RESTRICTED_CODESECURITY_WRITE_RESTRICTED_CODE_RID |
Windows Vista |
| IS | Anonymous Internet usersSDDL_IIS_USERSDOMAIN_ALIAS_RID_IUSERS |
|
| CY | Crypto operatorsSDDL_CRYPTO_OPERATORSDOMAIN_ALIAS_RID_CRYPTO_OPERATORS |
|
| OW | Owner Rights SIDSDDL_OWNER_RIGHTSSECURITY_CREATOR_OWNER_RIGHTS_RID |
|
| RM | RMS service operatorsSDDL_RMS_SERVICE_OPERATORSDOMAIN_ALIAS_RID_RMS_SERVICE_OPERATORS |
Windows Vista Removed in Win7 |
| ER | Event log readersSDDL_EVENT_LOG_READERSDOMAIN_ALIAS_RID_EVENT_LOG_READERS_GROUP |
Windows 7 |
| RO | Enterprise read-only domain controllersSDDL_ENTERPRISE_RO_DCsDOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS |
|
| CD | Can connect to certification authorities using DCOMSDDL_CERTSVC_DCOM_ACCESSDOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP |
|
| AC | All applications running in an app package contextSDDL_ALL_APP_PACKAGESSECURITY_BUILTIN_PACKAGE_ANY_PACKAGE |
Windows 8 |
| RA | RDS remote access serversSDDL_RDS_REMOTE_ACCESS_SERVERSDOMAIN_ALIAS_RID_RDS_REMOTE_ACCESS_SERVERS |
|
| ES | Endpoint serversSDDL_RDS_ENDPOINT_SERVERSDOMAIN_ALIAS_RID_RDS_ENDPOINT_SERVERS |
|
| MS | Management serversSDDL_RDS_MANAGEMENT_SERVERSDOMAIN_ALIAS_RID_RDS_MANAGEMENT_SERVERS |
|
| UD | User-mode driverSDDL_USER_MODE_DRIVERSSECURITY_USERMODEDRIVERHOST_ID_BASE_RID |
|
| HA | Hyper-V administratorsSDDL_HYPER_V_ADMINSDOMAIN_ALIAS_RID_HYPER_V_ADMINS |
|
| CN | Domain controllers which may be clonedSDDL_CLONEABLE_CONTROLLERSDOMAIN_GROUP_RID_CLONEABLE_CONTROLLERS |
|
| AA | Access control assistant operatorsSDDL_ACCESS_CONTROL_ASSISTANCE_OPSDOMAIN_ALIAS_RID_ACCESS_CONTROL_ASSISTANCE_OPS |
|
| RM | Remote management usersSDDL_REMOTE_MANAGEMENT_USERSDOMAIN_ALIAS_RID_REMOTE_MANAGEMENT_USERS |
|
| AS | Authentication Authority AssertedSDDL_AUTHORITY_ASSERTEDSECURITY_AUTHENTICATION_AUTHORITY_ASSERTED_RID |
|
| SS | Authentication Service AssertedSDDL_SERVICE_ASSERTEDSECURITY_AUTHENTICATION_SERVICE_ASSERTED_RID |
|
| AP | Protected usersSDDL_PROTECTED_USERSDOMAIN_GROUP_RID_PROTECTED_USERS |
Windows 8.1 |
| KA | Domain key credential administratorsSDDL_KEY_ADMINSDOMAIN_GROUP_RID_KEY_ADMINS |
Windows 10 |
| EK | Enterprise key credential administratorsSDDL_ENTERPRISE_KEY_ADMINSDOMAIN_GROUP_RID_ENTERPRISE_KEY_ADMINS |
“RM” is the only case I can find of something being removed from SDDL.
SDDL integrity labels
| Code | Meaning | Introduced |
|---|---|---|
| LW | Low mandatory levelSECURITY_MANDATORY_LOW_RID |
Windows Vista |
| ME | Medium mandatory levelSECURITY_MANDATORY_MEDIUM_RID |
|
| MP | Medium Plus mandatory levelSECURITY_MANDATORY_MEDIUM_PLUS_RID |
Windows 7 |
| HI | High mandatory levelSECURITY_MANDATORY_HIGH_RID |
Windows Vista |
| SI | System mandatory levelSECURITY_MANDATORY_SYSTEM_RID |
SDDL syntax elements
| Syntax | Meaning | Introduced |
|---|---|---|
| semicolon | Separates elements inside an ACESDDL_SEPERATOR |
Windows 2000 |
| colon | Delimits SD componentsSDDL_DELIMINATOR |
|
| parentheses | Enclose an ACESDDL_ACE_BEGINSDDL_ACE_END |
|
| parentheses | Enclose a conditional ACE expressionSDDL_ACE_COND_BEGINSDDL_ACE_COND_END |
Windows 7 |
| curly braces | Enclose a comma-separated list of SIDsSDDL_ACE_COND_COMPOSITEVALUE_BEGINSDDL_ACE_COND_COMPOSITEVALUE_SEPERATORSDDL_ACE_COND_COMPOSITEVALUE_END |
|
| number sign | Hexadecimal byte dataSDDL_ACE_COND_BLOB_PREFIX |
|
| parentheses | Enclose a string SID in a SID listSDDL_ACE_COND_SID_BEGINSDDL_ACE_COND_SID_END |
I like how “separator” and “delimiter” are misspelled.
Light
Dark
5 comments
Am I the only one who finds it ironic that RM is the only thing that got ReMoved? It was almost like someone got to type “rm RM”
Deliminator: http://www.catb.org/jargon/html/D/deliminator.html
(Apologies. My normal account it *not* working right now)
Without practce this information could induce line twists the next time I boot to the troubleshooting command prompt to temporarily get a piece of software out of my way to test some possible network comms etc issue haha.
removing a code between Vista and 7 seems like exactly the sort of situation that would demand a version change because a string may not be compatible with a newer windows version. Guessing someone decided that code changes don’t need a version change maybe they are being reserved for a more fundamental change of syntax but even then they changed in 7 too.
Rumours that SDDL was inspired by the programming language Malbolge are… well, probably only slightly true.