|
NTFS General Information
> NTFS Permissions
> NTFS Security Descriptor
NTFS Security Descriptor
The security descriptor resides in the $SDS data stream. The
table below describes the layout of the $SDS data stream.
$SDS Data Stream Entry Layout, showing parts of the Security Descriptor
$SDS Entry Field |
Description |
Hash |
Hash of security descriptor |
Security ID |
Security ID assigned to this entry |
Offset |
Entry offset in the #SDS data stream |
Size |
Entry size |
Header |
Security Descriptor: Revision number and a set of
control flags that describe characteristics of the security descriptor. |
Owner_SID |
Security Descriptor: Owner SID. The owner of an
object can modify permissions and give other users the right to take ownership. |
Group_SID |
Security Descriptor: SID for the owner’s primary
group. Used only by the POSIX subsystem. |
DACL |
Security Descriptor: Discretionary Access Control
List. Contains ACEs and controls access to the object. Content
controlled by the owner. |
SACL |
Security Descriptor: System
Access Control List Contains ACEs and controls the logging of attempts
to access the object. Content controlled by security administrators for
the local system. |
To assign the appropriate security descriptor for a file or
folder, NTFS does the following:
- Calculates a simple hash for that security
descriptor and uses it as an index into the $SDH index. The $SDH index is sorted
by security descriptor hash and is stored in a B+ tree format.
- Maps the hash to the security descriptor’s
storage location within the $SDS data attribute.
- If a match is not found for the map, NTFS assigns a new
unique Security ID to the security descriptor and adds the new ID to the $SDS
data attribute. When an entry references this security descriptor in the $SDS
data attribute, NTFS adds appropriate entries to the $SDH and $SII indexes.
- Writes the Security ID corresponding to the
security descriptor in the $SDS attribute to the $STANDARD_INFORMATION attribute
of the file or folder.
When NTFS searches $SDH, it looks for a match for both the
hash and the security descriptor.
When an application attempts to open a file or a folder, the
following happens:
- NTFS reads the internal Security ID for the file
or folder from the MFT entry’s $STANDARD_INFORMATION attribute.
- In the $Secure file, NTFS opens the $SII index
and looks up the appropriate security descriptor that for that file or folder.
- If NTFS finds the security descriptor, it locates
the Security ID entry in the SDS attribute.
- In the SDS attribute, the offset allows NTFS to
read the security descriptor and complete the security check.
NTFS does not delete entries in the $Secure file, even if no
file or directory on a volume references the entry. The fact that NTFS only adds
these entries does not significantly decrease disk space because most volumes,
even those used for long periods, have relatively few unique security
descriptors.
Two Security Indexes
Entries in the $SDH index map the security descriptor hashes
to the security descriptor's storage location within the $SDS data attribute.
$Secure:$SDH index entry layout
$SDH Entry Field |
Description |
DataOffest |
The value of an offset variable indicates the location of a based variable within an area variable relative to the start of the
area. |
DataLength |
Size of data string. |
ReservedForZero |
Padding with zeroes. |
IndexEntryLength |
Size of index entry. |
IndexKeyLength |
Size of index key. |
Flags |
Arguments that that specify a type of security information. |
Pad |
Padding to help with alignment of fields. |
KeyHash |
Key: Hash of the security description |
KeySecurityId |
Key: The SecurityID assigned to the descriptor |
Hash |
Data: Hash of the security descriptor |
SecurityID |
Data: The Security ID assigned to the descriptor |
Offset_in_SDS |
Data: Offset of the security descriptor in $SDS data stream |
Size_in_SDS |
Data: Size of the descriptor in $SDS data stream |
Reserved_II |
Data: Padding – always Unicode “II” |
The $SII index entries map NTFS5 security IDs to the security
descriptor's location in the $SDS data attribute.
$Secure:$SII index entry
layout
$SII Index Entry Field |
Description |
DataOffset |
Offset to data. |
DataLength |
Size of data. |
ReservedForZero |
Padding with zeroes. |
IndexEntryLength |
Size of Index Key. |
Flags |
Arguments that that specify a type of security information. |
Pad |
Padding to help with alignment of fields. |
KeySecurityId |
Key: The Security ID assigned to the descriptor |
Hash |
Data: Hash of the security descriptor |
SecurityID |
Data: The Security ID assigned to the descriptor |
Offset_in_SDS |
Data: Offset of the security descriptor in $SDS data stream |
Size_in_SDS |
Data: Size of the descriptor in $SDS data stream |
Previous| NTFS Permissions |
Next
|
