What are Windows ACLs?

What are Windows ACLs and why are they important?


I found the following at this wiki page.

An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file has an ACL that contains (Alice, delete), this would give Alice permission to delete the file.

To answer your question about "why are they important?" if you do not yet understand, if you do not have them, permissions wouldn't exist. This is how Windows understands who has certain privileges.


An Access Control List (ACL) has zero or more Access Control Entries (ACEs). Many different objects in Windows can have ACLs, such as files, devices, printers, registry entries, and other things. (Check out SysInternal's WinObj if you want to get an overview on all the different types of objects in the Windows "namespace" - many are internal to Windows and not directly exposed to the user)

An ACE consists of

  • A principal. Usually this is either a user or a group. It could be a user, group, or computer in an Active Directory database on a domain controller, or a local user. There are "virtual" groups such as "Everyone" and "Authenticated Users."

and

  • One or more capabilites, each capability can be set to Allow or Deny. Some example of capabilites are "Read", "Write", "List Contents", etc. Deny takes precendence over Allow. Most objects such as files, etc. won't allow access or changes unless there's a specific "Allow" ACL available; thus Deny should only be used in special circumstances.

ACLs can be inherited, i.e. files in lower-level directories can inherit ACLs from upper-level directories.

They are important because this is how Windows gives and enforces privileges to processes. Each process runs as a user, and if that user "falls under" one or more ACEs then Windows resolves all of them to figure out whether a specific action is allowed or not.


You can look at it like this.

Every object on NTFS has a serialized number (including user accounts, user groups, processes, devices, etc.). The Access Control List keeps track of which serialized number can access another serialized number, and what permissions are set. Just think of everything having a serialized number, with permissions attached to them.

If you delete a user named FRED, his serialized number is deleted, and it removed from the ACL. Effectively, FRED's serialized number is no longer associated with other devices and the permissions he had with those devices are also removed.

If you re-create a user name FRED, he will be assigned a new serialized number. The ACL will recognize this as a new number. Therefore, it will not re-establish any permissions which the deleted FRED account had.

Hope this helps conceptualize what the ACL is, how it works, and why it is important.