You can independently evaluate each string of characters that are enclosed in parentheses by using the following key:
|Pair||Right or permission|
Exercise the most caution with the ChangeConf (DC) permission. Look for the ChangeConf permission when you are determining whether your service is vulnerable to an elevation-of-privilege attack. This permission enables a designee to change the configuration of the service to include the binary file that is run when the service is started. You should also exercise extreme caution with the WDac (WD) and the WOwn (WO) permissions because both can be used to escalate permissions to LocalSystem. Make sure that these rights are not granted to a user who has low permissions. This table lists the codes that are used to identify the type of user that is granted access in the SDDL syntax.
|ED||Enterprise Domain Controllers|
|BA||Built-in (Local ) Administrators|
|BG||Built-in (Local ) Guests|
|BU||Built-in (Local ) Users|
|LA||Local Administrator Account|
|LG||Local Guest Account|
|IU||Interactive Logon User|
|NU||Network Logon User|
|SU||Service Logon User|
|WR||Write Restricted Code|
|CA||Certificate Services Administrators|
|RS||Remote Access Servers Group|
|PA||Group Policy Administrators|
|RU||Alias to Allow Previous Windows 2000|
|LS||Local Service Account (for Services)|
|NS||Network Service Account (for Services)|
|RD||Remote Desktop Users (for Terminal Services)|
|NO||Network Configuration Operators|
|MU||Performance Monitor Users|
|LU||Performance Log Users|
|IS||Anonymous Internet Users|
|OW||Owner Rights SID|
How to interpret a DACL string in SDDL formatThis information describes how to interpret the sample DACL string that is listed at the top of this article. This interpretation lists each access control entry (ACE) individually.
This access control entry (ACE) gives LocalSystem (SY) the following rights:
This access control entry (ACE) applies to built-in local administrators (BA). This access control entry (ACE) gives the same rights as in the previous access control entry (ACE) to all the local administrators. This is also a very powerful security context on the workstation. Therefore, there is again no elevation risk.
This access control entry (ACE) gives all the previous rights to any authenticated user (AU).
The following sample DACL does not give ChangeConf rights to authenticated users:
In this DACL, authenticated users (AU) are given only the following rights:
The LocalSystem (SY) group is given the same permissions as the Power Users group, but is also given Stop and Pause permissions. This seems to be appropriate. The next two short access control entries (ACEs) give the Local Service account and the Network Service account permissions to pause the service. This also seems to be appropriate because Local Service and Network Service are both powerful local accounts.
The Network Configuration Operators (NO) group, however, is given ChangeConf permissions. The Network Configuration Operators group was added in Windows XP to let trusted users change network settings without having full administrator permissions. By default, the Network Configuration Operators group is empty. The group is sometimes used to give network configuration permissions to specific users. For example, the owner of a portable computer might be given this permission. Users in the Network Configuration Operators group frequently have physical control of the computer. However, the intention of this group is not to give these users full administrator permissions. Therefore, this service DACL should not give ChangeConf permissions to the Network Configuration Operators group.
Best practicesLimit service DACLs to only those users who need a particular access type. Be especially cautious with the following rights. If these rights are granted to a user or to a group that has low rights, the rights can be used to elevate to LocalSystem on the computer:
- ChangeConf (DC)
- WDac (WD)
- WOwn (WO)
Article ID: 914392 - Last Review: Mar 29, 2017 - Revision: 4