A security descriptor controls access to a computer system, process, or file. It determines whether a user or process can access the object and whether the object can access other things. Windows® systems use security descriptors for securable objects, and the descriptor contains ownership, incoming access, and outgoing access information.
A security descriptor is information that is added to a part of a computer system, process or file that controls its access parameters. These descriptors will determine whether or not a user or process can access the protected object and whether the object can access other things. A security descriptor is often placed high in a directory path or process chain, and items under the protected object inherit the descriptors and become secure themselves. This simplifies the process for the user as they only need to secure one thing to create a secure area.
The term “security descriptor” is used correctly only by Windows®-based operating systems (OS). These descriptors were developed to protect Windows® objects from being accessed inappropriate ways. Because the term is so vague, it is often used to describe ways of protecting files and processes on other systems that use different methods. This is especially common with operating systems that make heavy use of read/write access commands.
On Windows® systems, security descriptors apply only to securable objects. “Securable” simply means that it has the potential to have a security descriptor added; the term differentiates these elements from standard objects. Even though protected objects and common objects are different, the term is unrelated to the actual difference.
Objects are a variety of different things within the Windows® operating system. The system uses the term to mean everything it can or can access and everything it has accessed, so nearly every unfixed bit of information on the system is an object. These objects could be user-side, such as a file or folder full of files, or they could be a system-side object, such as a running process or registry entry.
An object can only be protected if it is unique and identifiable. This is a simple concept that has a huge impact on how a system works. A unique object means that only one exists at a time. If there is only one of an object that can have duplicates, it is still not unique because there is a possibility that another will come into existence. An identifiable object contains discrete parameters that determine its beginning, end and reason for existence.
If a security descriptor can be added to an object, the process is often very simple and usually automatic. The descriptor will contain three pieces of information: ownership, incoming access, and outgoing access. The property indicates what created the object and whether it passes its descriptor to its children. Access in tells the object what has access to its contents. Access out tells the object which objects it has access to.
Protect your devices with Threat Protection by NordVPN