Windows Security: DACL and SACL discovery using Perl

Let’s explore how to manage DACLs and SACLs with the Win32::ACL module.

Posted 2022-10-26 18:18:01 Updated 2022-10-26 18:18:01

ACL Security Windows

By admin@tikkle.de

3 minutes read

When it comes to Windows Server systems, keeping your files and folders secure is a top priority. Two key players in this security game are the Discretionary Access Control List (DACL) and the System Access Control List (SACL). Let’s break these down in a way that’s easy to understand—without sounding like a dry textbook!

What’s a DACL?

A DACL (Discretionary Access Control List) is like the VIP guest list for your files. It specifies who can access a file or folder and what they can do with it. Each entry in the DACL, known as an Access Control Entry (ACE), lays out permissions—whether someone can read, write, or execute the file.

Here’s what a DACL might symbolically look like:

DACL:

User: Alice - Permissions: Read, Write
User: Bob - Permissions: Read
Group: Managers - Permissions: Read, Write, Execute

In this example, Alice can read and write the file, Bob can only read it, and the Managers group has full access. If you’re not on the list, you might as well be outside the club looking in. No access for you! This keeps your data secure and ensures that only the right people can make changes.

What’s a SACL?

Now, let’s talk about the SACL (System Access Control List). Think of the SACL as your file’s security camera. It tracks what’s happening with your files—specifically, which actions should be logged in the security event log. This includes both successful and failed access attempts.

Here’s an example of how a SACL might look, matching the above DACL example:

SACL:

User: Charlie - Access: Failed Attempt
User: Alice - Access: Successful
User: Bob - Access: Failed Attempt

In this case, the SACL records that Charlie failed to access the file, while Alice successfully opened it. It’s like having a bouncer who also takes notes! SACLs are crucial for keeping an eye on sensitive information and ensuring compliance with security policies.

Using Perl to Check Out DACLs and SACLs

As the writer of the Win32::ACL module, I’ve made it easy for you to work with DACL and SACL information using Perl on Windows. With this module, you can retrieve and display the DACL and SACL for specific files and folders, making it simpler to manage access and audit settings without breaking a sweat.

Here’s a quick example of how you might use the module:

use Win32::ACL;
use Data::Dumper; 

my $object = new Win32::ACL();  

my @sacls = $object->getSACL("C:\\Temp");
print Dumper(@sacls);
my @dacls = $object->getDACL("C:\\Temp");
print Dumper(@dacls);

DACL Example output

$VAR1 = {
          'aceFlags' => {
                          'INHERITED_ACE' => 1,
                          'FULL_INHERIT' => 1
                        },
          'trustee' => 'BUILTIN\\Administrators',
          'sid' => 'S-1-5-32-544',
          'aceMask' => {
                         'FULL' => 1
                       },
          'aceType' => 'ACCESS_ALLOWED_ACE_TYPE'
        };
$VAR2 = {
          'sid' => 'S-1-5-18',
          'aceFlags' => {
                          'FULL_INHERIT' => 1,
                          'INHERITED_ACE' => 1
                        },
          'trustee' => 'NT AUTHORITY\\SYSTEM',
          'aceMask' => {
                         'FULL' => 1
                       },
          'aceType' => 'ACCESS_ALLOWED_ACE_TYPE'
        };
$VAR3 = {
          'aceType' => 'ACCESS_ALLOWED_ACE_TYPE',
          'aceMask' => {
                         'READ' => 1
                       },
          'trustee' => 'BUILTIN\\Users',
          'aceFlags' => {
                          'INHERITED_ACE' => 1,
                          'FULL_INHERIT' => 1
                        },
          'sid' => 'S-1-5-32-545'
        };
$VAR4 = {
          'sid' => 'S-1-5-11',
          'trustee' => 'NT AUTHORITY\\Authenticated Users',
          'aceFlags' => {
                          'INHERITED_ACE' => 1
                        },
          'aceType' => 'ACCESS_ALLOWED_ACE_TYPE',
          'aceMask' => {
                         'MODIFY' => 1
                       }
        };
$VAR5 = {
          'trustee' => 'NT AUTHORITY\\Authenticated Users',
          'aceFlags' => {
                          'SUBFOLDERS_AND_FILES_ONLY' => 1,
                          'INHERITED_ACE' => 1
                        },
          'sid' => 'S-1-5-11',
          'aceType' => 'ACCESS_ALLOWED_ACE_TYPE',
          'aceMask' => {
                         'GENERIC_READ' => 1,
                         'GENERIC_WRITE' => 1,
                         'GENERIC_EXECUTE' => 1,
                         'DELETE' => 1
                       }
        };

SACL Example output

$VAR1 = {
          'aceType' => 'SYSTEM_AUDIT_ACE_TYPE',
          'trustee' => 'Frikadelle\\Administrator',
          'aceMask' => {
                         'FILE_EXECUTE' => 1,
                         'FILE_WRITE_EA' => 1,
                         'FILE_WRITE_ATTRIBUTES' => 1,
                         'FILE_WRITE_DATA' => 1,
                         'FILE_READ_EA' => 1,
                         'DELETE' => 1,
                         'FILE_APPEND_DATA' => 1,
                         'FILE_READ_ATTRIBUTES' => 1,
                         'READ_CONTROL' => 1,
                         'FILE_READ_DATA' => 1
                       },
          'aceFlags' => {
                          'SUCCESSFUL_ACCESS_ACE_FLAG' => 1,
                          'FULL_INHERIT' => 1,
                          'FAILED_ACCESS_ACE_FLAG' => 1
                        },
          'sid' => 'S-1-5-21-3286235758-1038429440-3062953416-500'
        };

Github Project

Development, Perl

Perl Windows Security

This post is licensed under CC BY 4.0 by the author.