What is an Access Control List (ACL)
An Access Control List (ACL) is a security feature in Windows that defines which users or groups have specific types of access to a particular object, such as a file, folder, registry key, or Active Directory item.
An ACL is made up of multiple Access Control Entries (ACEs). Each ACE specifies access rights for a user or group.
Types of ACLs
Discretionary Access Control List (DACL)
- Specifies who is allowed or denied access to an object.
- A DACL contains ACEs that grant or deny permissions.
- If there is no DACL, access is unrestricted.
- If the DACL is empty, no one can access the object.
System Access Control List (SACL)
- Specifies which access attempts should be audited.
- Used to log successful or failed attempts to access or modify an object.
- Audit information is recorded in the Windows Security event log.
What an ACE Contains
An Access Control Entry (ACE) includes the following components:
- The identity of the user, group, or computer (called the security principal)
- The type of access being allowed or denied (such as Read, Write, or Modify)
- A flag indicating whether the access is allowed or denied
- Inheritance information that determines if the entry applies to subfolders or child objects
Common Uses in Windows
- Files and folders: ACLs manage access in the NTFS file system.
- Active Directory: ACLs control who can view or modify directory objects.
- Registry and services: ACLs define administrative and user access levels.
ACLs can be managed through:
- The Security tab in the Properties window of files or folders
- Command-line tools such as
icaclsorcacls - PowerShell commands like
Get-AclandSet-Acl
Summary
| Term | Description |
|---|---|
| ACL | A list that defines access permissions for an object |
| DACL | Controls who is allowed or denied access |
| SACL | Defines which access attempts are logged for auditing |
| ACE | An individual rule that specifies access for a user or group |