Getting started with SDDL (Security Descriptor Definition Language)

So, you’re attempting to grant some users permission to read the event log on a Windows Server 2003 server and all of a sudden you’re plunged deep in to the world of SDDL and needing to amend a random registry entry to grant access. You’re under pressure. What do you do?

Task:

Grant access for a user account to read the Application Event log but without making them a member of Local Administrators or any other local group.

Solution:

Locate and edit the following registry key:

Problem 2:

The key above is in SDDL format and it’s not something you’ve seen before. What’s it all about and how can you edit it without breaking it? Example:

Solution 2:

The SDDL format can be broken down in to four parts colour coded in red, green, blue and orange below:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)

O = Owner
G = Primary Group
D = DACL Entries
S = SACL Entries (not included in example)

The owner (O:) of the object in the above example is the Builtin Administrators group (BA). You can decipher the SID String entry from the list provided by Microsoft here: http://msdn.microsoft.com/en-us/library/aa379602.aspx

The primary group (G:) of the object in the above example is the Local System (SY). Again, decipher the SID string entry from the list provided by Microsoft: http://msdn.microsoft.com/en-us/library/aa379602.aspx

Then we have the Discretionary Access Control List entries (D:) followed by several parentheses which are the actual DACL entries. Basically these entries wrapped in parentheses are the same entries you can see when you open up the security tab on any file but these entries are written in the SDDL format. Each set of parentheses contains all of the information for an entry.

Our first entry in the DACL section (D;;0xf0007;;;AN) breaks down using the following format separated by semi-colons.

In our example you’ll notice there are some empty entries between the semi-colons, this is OK and actually quite normal for most entries written in SDDL format.

So, again using Microsoft’s helpful (well, mostly) website at http://msdn.microsoft.com/en-us/library/aa374928(v=VS.85).aspx, we can decipher what each of these separate entries do for us when we apply it to our example. The account_sid entry relates to the SID String (link above)

ace_type: D (Deny)
ace_flags: N/A
rights: 0xf0007 (a hexadecimal string which denotes the access mask)
object_guid: N/A
inherit_object_guid: N/A
account_sid: AN (Anonymous)

OK, the only point of confusion above is really the rights section, probably the most important of all of the sections above. Here, in the SDDL links provided by Microsoft you can use either a hexadecimal string (as in our example) or a concatenation of any of the many strings listed at http://msdn.microsoft.com/en-us/library/aa374928.aspx

Converting the access mask in our example in to strings is nigh on impossible because Microsoft don’t give us the conversion values for each of the strings on their website which is kind of frustrating for me since I can’t explain how best to create an SDDL entry using a hex string. My recommendation is to build the permissions you require using the concatenate strings method.

Let’s assume our access mask defines Full rights. When combined with the rest of the DACL entry, it actually denies full access rights to the Anonymous user. We can probably re-write our DACL entry, replacing the hex mask as follows:

(D;;GA;;;AN)

All I’ve done is to replace the 0xf0007 part of the DACL with GA, which is the GENERIC_ALL right as listed on http://msdn.microsoft.com/en-us/library/aa374928.aspx

If we wanted this same entry to grant full permission to the Anonymous user account (NOT A GOOD IDEA!!!) then we would write it as follows:

(A;;GA;;;AN)

Hopefully this little intro has given you the start you need to edit your own SDDL entries. If anyone fancies adding more examples with explanations, please add your comments below.

-Lewis