Control Access Rights (AD DS)
All objects in Active Directory Domain Services support a standard set of access rights defined in the ADS_RIGHTS_ENUM enumeration. These access rights can be used in the Access Control Entries (ACEs) of an object’s security descriptor to control access to the object; that is, to control who can perform standard operations, such as creating and deleting child objects, or reading and writing the object attributes. However, for some object classes, it may be desirable to control access in a way not supported by the standard access rights. To facilitate this, Active Directory Domain Services allow the standard access control mechanism to be extended through the controlAccessRight object.
Control access rights are used in three ways:
For extended rights, which are special operations not covered by the standard set of access rights. For example, the user class can be granted a «Send As» right that can be used by Exchange, Outlook, or any other mail application, to determine whether a particular user can have another user send mail on their behalf. Extended rights are created on controlAccessRight objects by setting the validAccesses attribute to equal the ADS_RIGHT_DS_CONTROL_ACCESS (256) access right.
For defining property sets, to enable controlling access to a subset of an object’s attributes, rather than just to the individual attributes. Using the standard access rights, a single ACE can grant or deny access to all of an object’s attributes or to a single attribute. Control access rights provide a way for a single ACE to control access to a set of attributes. For example, the user class supports the Personal-Information property set that includes attributes such as street address and telephone number. Property set rights are created on controlAccessRight objects by setting the validAccesses attribute to contain both the ACTR_DS_READ_PROP (16) and the ACTRL_DS_WRITE_PROP (32) access rights.
For validated writes, to require that the system perform value checking, or validation, beyond that which is required by the schema, before writing a value to an attribute on a DS object. This ensures that the value entered for the attribute conforms to required semantics, is within a legal range of values, or undergoes some other special checking that would not be performed for a simple low-level write to the attribute. A validated write is associated to a special permission that is distinct from the «Write » permission that would allow any value to be written to the attribute with no value checking performed. The validated write is the only one of the three control access rights that cannot be created as a new control access right for an application. This is because the existing system cannot be programmatically modified to enforce validation. If a control access right was set up in the system as a validated write, the validAccesses attribute on the controlAccessRight objects will contain the ADS_RIGHT_DS_SELF (8) access right.
There are only three validated writes defined in the WindowsВ 2000 Active Directory schema:
- Self-Membership permission on a Group object, which allows the caller’s account, but no other account, to be added or removed from a group’s membership.
- Validated-DNS-Host-Name permission on a Computer object, which allows a DNS host name attribute that is compliant with the computer name and domain name to be set.
- Validated-SPN permission on a Computer object, which allows an SPN attribute which is compliant with the DNS host name of the computer to be set.
For convenience, each control access right is represented by a controlAccessRight object in the Extended-Rights container of the Configuration partition, even though property sets and validated writes are not considered to be extended rights. Because the Configuration container is replicated across the entire forest, control rights are propagated across all domains in a forest. There are a number of predefined control access rights, and of course, custom access rights can also be defined.
All control access rights can be viewed as permissions in the ACL Editor.
For more information and a C++ and Visual Basic code example that sets an ACE to control read/write access to a property set, see Example Code for Setting an ACE on a Directory Object.
For more information about using control access rights to control access to special operations, see:
Window Station Security and Access Rights
Security enables you to control access to window station objects. For more information about security, see Access-Control Model.
You can specify a security descriptor for a window station object when you call the CreateWindowStation function. If you specify NULL, the window station gets a default security descriptor. The ACLs in the default security descriptor for a window station come from the primary or impersonation token of the creator.
To get or set the security descriptor of a window station object, call the GetSecurityInfo and SetSecurityInfo functions.
When you call the OpenWindowStation function, the system checks the requested access rights against the object’s security descriptor.
The valid access rights for window station objects include the standard access rights and some object-specific access rights. The following table lists the standard access rights used by all objects.
| Value | Meaning |
|---|---|
| DELETE (0x00010000L) | Required to delete the object. |
| READ_CONTROL (0x00020000L) | Required to read information in the security descriptor for the object, not including the information in the SACL. To read or write the SACL, you must request the ACCESS_SYSTEM_SECURITY access right. For more information, see SACL Access Right. |
| SYNCHRONIZE (0x00100000L) | Not supported for window station objects. |
| WRITE_DAC (0x00040000L) | Required to modify the DACL in the security descriptor for the object. |
| WRITE_OWNER (0x00080000L) | Required to change the owner in the security descriptor for the object. |
The following table lists the object-specific access rights.
| Access right | Description |
|---|---|
| WINSTA_ALL_ACCESS (0x37F) | All possible access rights for the window station. |
| WINSTA_ACCESSCLIPBOARD (0x0004L) | Required to use the clipboard. |
| WINSTA_ACCESSGLOBALATOMS (0x0020L) | Required to manipulate global atoms. |
| WINSTA_CREATEDESKTOP (0x0008L) | Required to create new desktop objects on the window station. |
| WINSTA_ENUMDESKTOPS (0x0001L) | Required to enumerate existing desktop objects. |
| WINSTA_ENUMERATE (0x0100L) | Required for the window station to be enumerated. |
| WINSTA_EXITWINDOWS (0x0040L) | Required to successfully call the ExitWindows or ExitWindowsEx function. Window stations can be shared by users and this access type can prevent other users of a window station from logging off the window station owner. |
| WINSTA_READATTRIBUTES (0x0002L) | Required to read the attributes of a window station object. This attribute includes color settings and other global window station properties. |
| WINSTA_READSCREEN (0x0200L) | Required to access screen contents. |
| WINSTA_WRITEATTRIBUTES (0x0010L) | Required to modify the attributes of a window station object. The attributes include color settings and other global window station properties. |
The following are the generic access rights for the interactive window station object, which is the window station assigned to the logon session of the interactive user.
| Access right | Description |
|---|---|
| GENERIC_READ | STANDARD_RIGHTS_READ WINSTA_ENUMDESKTOPS WINSTA_ENUMERATE WINSTA_READATTRIBUTES WINSTA_READSCREEN |
| GENERIC_WRITE | STANDARD_RIGHTS_WRITE WINSTA_ACCESSCLIPBOARD WINSTA_CREATEDESKTOP WINSTA_WRITEATTRIBUTES |
| GENERIC_EXECUTE | STANDARD_RIGHTS_EXECUTE WINSTA_ACCESSGLOBALATOMS WINSTA_EXITWINDOWS |
| GENERIC_ALL | STANDARD_RIGHTS_REQUIRED WINSTA_ACCESSCLIPBOARD WINSTA_ACCESSGLOBALATOMS WINSTA_CREATEDESKTOP WINSTA_ENUMDESKTOPS WINSTA_ENUMERATE WINSTA_EXITWINDOWS WINSTA_READATTRIBUTES WINSTA_READSCREEN WINSTA_WRITEATTRIBUTES |
The following are the generic access rights for a noninteractive window station object. The system assigns noninteractive window stations to all logon sessions other than that of the interactive user.
| Access right | Description |
|---|---|
| GENERIC_READ | STANDARD_RIGHTS_READ WINSTA_ENUMDESKTOPS WINSTA_ENUMERATE WINSTA_READATTRIBUTES |
| GENERIC_WRITE | STANDARD_RIGHTS_WRITE WINSTA_ACCESSCLIPBOARD WINSTA_CREATEDESKTOP |
| GENERIC_EXECUTE | STANDARD_RIGHTS_EXECUTE WINSTA_ACCESSGLOBALATOMS WINSTA_EXITWINDOWS |
| GENERIC_ALL | STANDARD_RIGHTS_REQUIRED WINSTA_ACCESSCLIPBOARD WINSTA_ACCESSGLOBALATOMS WINSTA_CREATEDESKTOP WINSTA_ENUMDESKTOPS WINSTA_ENUMERATE WINSTA_EXITWINDOWS WINSTA_READATTRIBUTES |
You can request the ACCESS_SYSTEM_SECURITY access right to a window station object if you want to read or write the object’s SACL. For more information, see Access-Control Lists (ACLs) and SACL Access Right.
Service Security and Access Rights
The Windows security model enables you to control access to the service control manager (SCM) and service objects. The following sections provide detailed information:
Access Rights for the Service Control Manager
The following are the specific access rights for the SCM.
| Access right | Description |
|---|---|
| SC_MANAGER_ALL_ACCESS (0xF003F) | Includes STANDARD_RIGHTS_REQUIRED, in addition to all access rights in this table. |
| SC_MANAGER_CREATE_SERVICE (0x0002) | Required to call the CreateService function to create a service object and add it to the database. |
| SC_MANAGER_CONNECT (0x0001) | Required to connect to the service control manager. |
| SC_MANAGER_ENUMERATE_SERVICE (0x0004) | Required to call the EnumServicesStatus or EnumServicesStatusEx function to list the services that are in the database. Required to call the NotifyServiceStatusChange function to receive notification when any service is created or deleted. |
| SC_MANAGER_LOCK (0x0008) | Required to call the LockServiceDatabase function to acquire a lock on the database. |
| SC_MANAGER_MODIFY_BOOT_CONFIG (0x0020) | Required to call the NotifyBootConfigStatus function. |
| SC_MANAGER_QUERY_LOCK_STATUS (0x0010) | Required to call the QueryServiceLockStatus function to retrieve the lock status information for the database. |
The following are the generic access rights for the SCM.
| Access right | Description |
|---|---|
| GENERIC_READ | STANDARD_RIGHTS_READ SC_MANAGER_ENUMERATE_SERVICE SC_MANAGER_QUERY_LOCK_STATUS |
| GENERIC_WRITE | STANDARD_RIGHTS_WRITE SC_MANAGER_CREATE_SERVICE SC_MANAGER_MODIFY_BOOT_CONFIG |
| GENERIC_EXECUTE | STANDARD_RIGHTS_EXECUTE SC_MANAGER_CONNECT SC_MANAGER_LOCK |
| GENERIC_ALL | SC_MANAGER_ALL_ACCESS |
A process with the correct access rights can open a handle to the SCM that can be used in the OpenService, EnumServicesStatusEx, and QueryServiceLockStatus functions. Only processes with Administrator privileges are able to open handles to the SCM that can be used by the CreateService and LockServiceDatabase functions.
The system creates the security descriptor for the SCM. To get or set the security descriptor for the SCM, use the QueryServiceObjectSecurity and SetServiceObjectSecurity functions with a handle to the SCManager object.
Windows Server 2003 and Windows XP: Unlike most other securable objects, the security descriptor for the SCM cannot be modified. This behavior has changed as of Windows Server 2003 with Service Pack 1 (SP1).
The following access rights are granted.
| Account | Access rights |
|---|---|
| Remote authenticated users | SC_MANAGER_CONNECT |
| Local authenticated users (including LocalService and NetworkService) | SC_MANAGER_CONNECT SC_MANAGER_ENUMERATE_SERVICE SC_MANAGER_QUERY_LOCK_STATUS STANDARD_RIGHTS_READ |
| LocalSystem | SC_MANAGER_CONNECT SC_MANAGER_ENUMERATE_SERVICE SC_MANAGER_MODIFY_BOOT_CONFIG SC_MANAGER_QUERY_LOCK_STATUS STANDARD_RIGHTS_READ |
| Administrators | SC_MANAGER_ALL_ACCESS |
Notice that remote users authenticated over the network but not interactively logged on can connect to the SCM but not perform operations that require other access rights. To perform these operations, the user must be logged on interactively or the service must use one of the service accounts.
Windows Server 2003 and Windows XP: Remote authenticated users are granted the SC_MANAGER_CONNECT, SC_MANAGER_ENUMERATE_SERVICE, SC_MANAGER_QUERY_LOCK_STATUS, and STANDARD_RIGHTS_READ access rights. These access rights are restricted as described in the previous table as of Windows Server 2003 with SP1
When a process uses the OpenSCManager function to open a handle to a database of installed services, it can request access rights. The system performs a security check against the security descriptor for the SCM before granting the requested access rights.
Access Rights for a Service
The following are the specific access rights for a service.
| Access right | Description |
|---|---|
| SERVICE_ALL_ACCESS (0xF01FF) | Includes STANDARD_RIGHTS_REQUIRED in addition to all access rights in this table. |
| SERVICE_CHANGE_CONFIG (0x0002) | Required to call the ChangeServiceConfig or ChangeServiceConfig2 function to change the service configuration. Because this grants the caller the right to change the executable file that the system runs, it should be granted only to administrators. |
| SERVICE_ENUMERATE_DEPENDENTS (0x0008) | Required to call the EnumDependentServices function to enumerate all the services dependent on the service. |
| SERVICE_INTERROGATE (0x0080) | Required to call the ControlService function to ask the service to report its status immediately. |
| SERVICE_PAUSE_CONTINUE (0x0040) | Required to call the ControlService function to pause or continue the service. |
| SERVICE_QUERY_CONFIG (0x0001) | Required to call the QueryServiceConfig and QueryServiceConfig2 functions to query the service configuration. |
| SERVICE_QUERY_STATUS (0x0004) | Required to call the QueryServiceStatus or QueryServiceStatusEx function to ask the service control manager about the status of the service. Required to call the NotifyServiceStatusChange function to receive notification when a service changes status. |
| SERVICE_START (0x0010) | Required to call the StartService function to start the service. |
| SERVICE_STOP (0x0020) | Required to call the ControlService function to stop the service. |
| SERVICE_USER_DEFINED_CONTROL(0x0100) | Required to call the ControlService function to specify a user-defined control code. |
The following are the standard access rights for a service.
| Access right | Description |
|---|---|
| ACCESS_SYSTEM_SECURITY | Required to call the QueryServiceObjectSecurity or SetServiceObjectSecurity function to access the SACL. The proper way to obtain this access is to enable the SE_SECURITY_NAMEprivilege in the caller’s current access token, open the handle for ACCESS_SYSTEM_SECURITY access, and then disable the privilege. |
| DELETE (0x10000) | Required to call the DeleteService function to delete the service. |
| READ_CONTROL (0x20000) | Required to call the QueryServiceObjectSecurity function to query the security descriptor of the service object. |
| WRITE_DAC (0x40000) | Required to call the SetServiceObjectSecurity function to modify the Dacl member of the service object’s security descriptor. |
| WRITE_OWNER (0x80000) | Required to call the SetServiceObjectSecurity function to modify the Owner and Group members of the service object’s security descriptor. |
The following are the generic access rights for a service.
| Access right | Description |
|---|---|
| GENERIC_READ | STANDARD_RIGHTS_READ SERVICE_QUERY_CONFIG SERVICE_QUERY_STATUS SERVICE_INTERROGATE SERVICE_ENUMERATE_DEPENDENTS |
| GENERIC_WRITE | STANDARD_RIGHTS_WRITE SERVICE_CHANGE_CONFIG |
| GENERIC_EXECUTE | STANDARD_RIGHTS_EXECUTE SERVICE_START SERVICE_STOP SERVICE_PAUSE_CONTINUE SERVICE_USER_DEFINED_CONTROL |
The SCM creates a service object’s security descriptor when the service is installed by the CreateService function. The default security descriptor of a service object grants the following access.
| Account | Access rights |
|---|---|
| Remote authenticated users | Not granted by default.Windows Server 2003 with SP1: SERVICE_USER_DEFINED_CONTROL Windows Server 2003 and Windows XP: The access rights for remote authenticated users are the same as for local authenticated users. |
| Local authenticated users (including LocalService and NetworkService) | READ_CONTROL SERVICE_ENUMERATE_DEPENDENTS SERVICE_INTERROGATE SERVICE_QUERY_CONFIG SERVICE_QUERY_STATUS SERVICE_USER_DEFINED_CONTROL |
| LocalSystem | READ_CONTROL SERVICE_ENUMERATE_DEPENDENTS SERVICE_INTERROGATE SERVICE_PAUSE_CONTINUE SERVICE_QUERY_CONFIG SERVICE_QUERY_STATUS SERVICE_START SERVICE_STOP SERVICE_USER_DEFINED_CONTROL |
| Administrators | DELETE READ_CONTROL SERVICE_ALL_ACCESS WRITE_DAC WRITE_OWNER |
To perform any operations, the user must be logged on interactively or the service must use one of the service accounts.
To get or set the security descriptor for a service object, use the QueryServiceObjectSecurity and SetServiceObjectSecurity functions. For more information, see Modifying the DACL for a Service.
When a process uses the OpenService function, the system checks the requested access rights against the security descriptor for the service object.
Granting certain access rights to untrusted users (such as SERVICE_CHANGE_CONFIG or SERVICE_STOP) can allow them to interfere with the execution of your service, and possibly allow them to run applications under the LocalSystem account.
When EnumServicesStatusEx function is called, if the caller does not have the SERVICE_QUERY_STATUS access right to a service, the service is silently omitted from the list of services returned to the client.
