How to shoot yourself in the foot with ACLs

My latest TechNet article, “How to Shoot Yourself in the Foot with Security, Part 2: To ACL or Not To ACL” was just published in the TechNet Newsletter. It turns out that ACLs is one of the major ways people destroy their systems, and of course it is also one of the major ways to protect the system. As Steve pointed out in his blog, people setting unsupported ACLs on operating system binaries was what made MS05-051 blow up. Microsoft does not test on custom ACLs on the OS. We made that clear in KB 885409 over a year ago. That makes ACLs critically important, but also quite tricky. The article was written with the hope that it dispels some of the myth around ACLs and points out what to do and not to do with them. Most of the items in there are not absolutes – there are exceptions – but generally, they are good advice and they will keep you from having to call for technical support on an unsupported OS configuration. ACLs is actually one of the major support call generators. Hopefully, this will do some small part to solve that problem.

By the way, it deserves to mention that with lead times on articles being what they are, this article was written in September, before MS05-051 came out. Take note of the first way to shoot yourself in the foot with ACLs in the article. It would have prevented the problems with the patch in MS05-051 had people followed it.

If you have comments on the article or ACLs in general, feel free to follow up to this blog post.

Comments (8)

  1. Wesley Wilson says:

    I found the article very helpful, as I have been involved with the development of file-level security settings in my company’s document managment package called Omnivore.

    One question: You wrote, "Up through Windows XP the default DACL on shares was for Everyone with Full Control." That is not the default in XP Pro SP1, is it? I have forgotten to change the share permission for Everyone from Read to Full Control a few times on shares in our domain and been initially confused when an administrator couldn’t write to the share.

    Thanks for the article.

  2. Don Cressey says:

    What is an ACL? Some of us are not experts.

  3. Jesper Johansson says:

    Sorry Don. ACL is an Access Control List. It is what is used to set permissions on things in the operating system. I guess I should have spelled it out. Check out the "Introduction to ACLs" section in the TechNet article for a longer description.

    Wesley, glad to hear the article was helpful. The default share DACL was Everyone:Full Control in XP Gold (the original release), and changed to Everyone:Read in XP SP1. I could have been clearer on that really. Needless to say, I saw little reason to change it.

  4. Great Article

    I’m looking forward to see your ACL session next week at ITForum… 🙂

  5. MS says:

    You advice against using SACL "Everyone:Full control", but I find it useful to do just that and them later on in Security Policy/Auditing to say which events (Audit object access: Failure) I’m interested. Do you see any problems with that ?

  6. Jesper Johansson says:

    MS, what you are doing is a reasonable strategy, IF you have a good log management process. The problem with Everyone:Full Control SACLs is that you risk filling your event log very, very fast. Unless you manage those logs very carefully, cycle them, and so on, you will fill them and miss potentially valuable events. If you have a log management tool, for example, then your strategy is reasonable. However, you will still log a bunch of things that you probably do not care about.

  7. TAL says:

    Just a quick note regarding the mention of the 3rd tool at the end of the article. The correct spelling of the company your reference is ALTIRIS, not Altaris. – FYI

    Very intersting article. One topic that I would be very intersted to get your insight on is how to audit ACE’s for a specific subject. We have received 3 requests now from our legal department in just the last 5 months that go soemthing like, "We want a report of all data that XYZuser has access to."

    I don’t have any clue if others are getting these types of requests or not.


  8. Jesper Johansson says:

    Odd, Altiris was spelled right in my draft. I’ll get them to fix it.

    As for getting a report on all data that user X has access to, there is no such tool right now. It’s a cool idea though. Maybe I’ll write one if I can ever get the passwords tool I am working on done.