What is a Security Descriptor?

Updated on September 9, 2025

A Security Descriptor (SD) is a fundamental data structure in Windows and Active Directory that contains the security information for a securable object. It serves as the authoritative source for all access control decisions, defining who owns an object, what permissions they have, and what actions should be audited.

Understanding the components of a Security Descriptor is essential for administrators and security professionals to properly manage permissions and defend against privilege escalation attacks. This technical reference will break down each component and explain how they work together to control access to Windows resources.

How to Modernize Your AD Instance

The IT Professional’s Roadmap to Augmenting or Replacing AD

Download Today

Definition and Core Concepts

A Security Descriptor is a data structure that is associated with every securable object in Windows and Active Directory, such as a file, a folder, a registry key, or a user account. It contains the security information that defines an object’s owner and the permissions granted to users and groups.

Two key concepts are fundamental to understanding Security Descriptors:

• Securable Object: Any resource in Windows that can have security permissions assigned to it. This includes files, folders, registry keys, processes, threads, Active Directory objects, and many other system resources.
• Security Identifier (SID): A unique, immutable value that identifies a security principal—a user, group, or computer. SIDs are the values stored in a Security Descriptor’s access lists. When you see a permission granted to “DOMAIN\Users,” the system actually stores and references the corresponding SID for that group.

Key Components

A Security Descriptor is composed of several key components that work together to define an object’s security posture:

Owner SID

The Security Identifier of the user or group that owns the object. The owner has the authority to change permissions on the object, regardless of the permissions assigned to them in the object’s access control list. This ownership right cannot be removed through standard permission modifications.

Group SID

The SID of the primary group for the object. This component exists primarily for POSIX compatibility and legacy reasons. In most Windows environments, it has limited practical impact on access control decisions.

DACL (Discretionary Access Control List)

The most critical component for access control. The DACL is a list of Access Control Entries (ACEs) that explicitly grant or deny specific permissions to users or groups. Each ACE contains a SID and the permissions granted or denied to that security principal.

SACL (System Access Control List)

Contains a list of ACEs that are used for auditing purposes. The SACL determines what actions on the object are logged to the Windows security event log. This component is crucial for compliance and security monitoring.

Control Flags

A set of flags that define the behavior of the Security Descriptor. These flags indicate whether a DACL is present, if permissions are inherited from a parent object, whether the DACL’s integrity is protected, and other behavioral characteristics.

How Authorization Works

When a user attempts to perform an action on a securable object, the system performs an “access check.” This process compares the SIDs in the user’s access token to the ACEs in the object’s DACL to determine if the user is authorized.

Access Check Process

The system examines the user’s access token, which contains their user SID and all their group SIDs. This token is created when the user logs in and remains constant throughout their session.

ACE Evaluation Order

The system evaluates the ACEs in the DACL in a specific order. Deny ACEs are processed before grant ACEs. This order is critical because it means that explicit denials will override any grants, even if the grant appears later in the list.

Permission Resolution

When the system finds an ACE that matches one of the user’s SIDs, it applies the permissions defined in that ACE. If a user is denied access by an ACE, that denial takes precedence over any grants. If a user is not explicitly granted or denied access through any ACE, the default behavior is to deny access.

The access check stops as soon as the system has enough information to make a decision. If the requested permissions are granted through matching ACEs, access is allowed. If any required permission is denied or not granted, access is refused.

Troubleshooting and Security Considerations

Inheritance Complexity

Permissions can be inherited from parent objects, which can make managing permissions complex. Child objects automatically receive permissions from their parent containers unless inheritance is explicitly disabled. Administrators must carefully consider when configuring explicit permissions to avoid unintentionally overriding beneficial inherited permissions.

Privilege Escalation Risks

A misconfigured Security Descriptor can be a significant security risk. Attackers often perform reconnaissance to identify objects with weak DACLs that grant excessive permissions. Common vulnerabilities include:

• Overly permissive group memberships
• Inherited permissions that grant unintended access
• Missing deny ACEs for sensitive operations
• Improper ownership assignments

Administrative Tools

Administrators use specialized tools to view and modify Security Descriptors. The dsacls command-line tool allows viewing and modifying the DACL of Active Directory objects. For file system objects, tools like icacls provide similar functionality. PowerShell cmdlets such as Get-Acl and Set-Acl offer programmatic access to Security Descriptor information.

Key Terms Reference

• Security Descriptor (SD): The complete data structure that defines an object’s security configuration, including ownership, permissions, and auditing rules.
• DACL (Discretionary Access Control List): The component that contains the actual permission entries determining who can access an object and what they can do.
• SACL (System Access Control List): The component that defines what actions should be audited and logged to the security event log.
• ACE (Access Control Entry): An individual entry within a DACL or SACL that grants, denies, or audits specific rights for a particular security principal.
• SID (Security Identifier): A unique, immutable identifier for users, groups, and computers that the system uses internally for all access control decisions.
• Access Token: The data structure that contains a user’s complete security context, including their user SID and all group SIDs, used during access checks.