{"id":40273,"date":"2004-03-12T07:00:00","date_gmt":"2004-03-12T07:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2004\/03\/12\/what-is-the-default-security-descriptor\/"},"modified":"2004-03-12T07:00:00","modified_gmt":"2004-03-12T07:00:00","slug":"what-is-the-default-security-descriptor","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20040312-00\/?p=40273","title":{"rendered":"What is the default security descriptor?"},"content":{"rendered":"

\nAll these functions have an optional LPSECURITY_ATTRIBUTES parameter,\nfor which everybody just passes NULL, thereby obtaining the default\nsecurity descriptor.\nBut what is<\/b> the default security descriptor?\n<\/p>\n

\nOf course, the place to start is MSDN, in the section titled\n\nSecurity Descriptors for New Objects<\/a>.\n<\/p>\n

\nIt says that the default DACL comes from inheritable ACEs\n(if the object belongs to a hierarchy, like the filesystem\nor the registry); otherwise, the default DACL comes from the\nprimary or impersonation token of the creator.\n<\/p>\n

\nBut what is the default primary token?\n<\/p>\n

\nGosh, I don’t know either. So let’s write a program to find out.\n<\/p>\n

\n#include <windows.h>\n#include <sddl.h> \/\/ ConvertSecurityDescriptorToStringSecurityDescriptor\nint WINAPI\nWinMain(HINSTANCE, HINSTANCE, LPSTR, int)\n{\n HANDLE Token;\n if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &Token)) {\n DWORD RequiredSize = 0;\n GetTokenInformation(Token, TokenDefaultDacl, NULL, 0, &RequiredSize);\n TOKEN_DEFAULT_DACL* DefaultDacl =\n     reinterpret_cast<TOKEN_DEFAULT_DACL*>(LocalAlloc(LPTR, RequiredSize));\n if (DefaultDacl) {\n  SECURITY_DESCRIPTOR Sd;\n  LPTSTR StringSd;\n  if (GetTokenInformation(Token, TokenDefaultDacl, DefaultDacl,\n                          RequiredSize, &RequiredSize) &&\n      InitializeSecurityDescriptor(&Sd, SECURITY_DESCRIPTOR_REVISION) &&\n      SetSecurityDescriptorDacl(&Sd, TRUE,\n          DefaultDacl->DefaultDacl, FALSE) &&\n      ConvertSecurityDescriptorToStringSecurityDescriptor(&Sd,\n          SDDL_REVISION_1, DACL_SECURITY_INFORMATION, &StringSd, NULL)) {\n   MessageBox(NULL, StringSd, TEXT(\"Result\"), MB_OK);\n   LocalFree(StringSd);\n  }\n  LocalFree(DefaultDacl);\n }\n CloseHandle(Token);\n }\n return 0;\n}\n<\/pre>\n
\nOkay, I admit it, the whole purpose of this entry is just so I can call\nthe function\n\nConvertSecurityDescriptorToStringSecurityDescriptor<\/a>,\nquite possibly the longest function name in the Win32 API.\nAnd just for fun, I used the NT variable naming convention instead\nof Hungarian.\n<\/p>\n
\nIf you run this program you’ll get something like this:\n<\/p>\n
\nD:(A;;GA;;;S-1-5-21-1935655697-839522115-854245398-1003)(A;;GA;;;SY)\n<\/pre>\n
\nPull out our\n\nhandy reference to the Security Descriptor String Format<\/a> to decode this.\n<\/p>\n