Updated ACL model in Vista improves on XP and 2003
June 5, 2007
There are various changes to the ACL model from XP/2003 to Windows Vista. Some are simple changes to defaults such as who has permission to create and modify files in the root of the boot volume, others are more complex regarding implicit permissions granted to the owner of an object and how this can be controlled even further.
Jesper Johansson has written an excellent and detailed Technet magazine article about Vista’s new ACL features and how these improve security. Some of this is just “useful to know” but effectively just gets on with the job under the hood; other parts are more useful to understand in depth to leverage the new capabilities.
Obviously some of these new features will be expected in Longhorn Server 2008 as well. The new Owner Rights permissions, for example, should provide file-server administrators with ways to control how their users are able to create and modify folders without them also gaining the ability to change the ACLs and prevent the right people having access, or worse, weaken carefully designed security structures.
There is now a SID for OWNER RIGHTS, which applies to whoever happens to own a file at the time it is accessed. It is primarily used to restrict what the owner can do with the file. There are two notable changes to how owner rights work as compared to Windows XP. First, if you are the owner of the object, but there is an ACE on the object that applies to you, the rights in the ACE will supersede the fact that you are the owner. This is a major change and will significantly impact certain aspects of system administration as we are used to the owner having implicit rights. Second, the OWNER RIGHTS SID can be used to further restrict what the owner can do with an object.