Denying Access Using Low-Level Functions

This example uses the low-level access-control functions to attach an empty DACL to a file object. The effect of an empty DACL is to deny all access to the object.

The example allocates a buffer for the security descriptor and calls the InitializeSecurityDescriptor function to initialize the buffer. Then it allocates a buffer for the ACL and calls the InitializeAcl function to initialize that buffer. Next, it calls the SetSecurityDescriptorDacl function to attach the ACL to the security descriptor; and calls the SetFileSecurity function to attach the security descriptor to a file.

PSECURITY_DESCRIPTOR pSD; 
PACL pACL; 
DWORD cbACL = 1024; 
 
// Initialize a security descriptor.  
 
pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR, 
    SECURITY_DESCRIPTOR_MIN_LENGTH);   // defined in WINNT.H  
if (pSD == NULL) { 
    ErrorHandler("LocalAlloc"); 
    goto Cleanup; 
} 
 
if (!InitializeSecurityDescriptor(pSD, 
        SECURITY_DESCRIPTOR_REVISION)) { // defined in WINNT.H  
    ErrorHandler("InitializeSecurityDescriptor"); 
    goto Cleanup; 
} 
 
// Initialize a DACL.  
 
pACL = (PACL) LocalAlloc(LPTR, cbACL); 
if (pACL == NULL) { 
    ErrorHandler("LocalAlloc"); 
    goto Cleanup; 
} 
 
if (!InitializeAcl(pACL, cbACL, ACL_REVISION2)) { 
    ErrorHandler("InitializeAcl"); 
    goto Cleanup; 
} 
 
// Add an empty ACL to the SD to deny access.  
 
if (!SetSecurityDescriptorDacl(pSD, 
        TRUE,     // fDaclPresent flag   
        pACL, 
        FALSE)) { // not a default DACL  
    ErrorHandler("SetSecurityDescriptorDacl"); 
    goto Cleanup; 
} 
 
// Use the new SD as the file's security info.  
 
if (!SetFileSecurity(lpszTestFile, 
        DACL_SECURITY_INFORMATION, 
        pSD)) { 
    ErrorHandler("SetFileSecurity"); 
    goto Cleanup; 
} 
 
Cleanup: 
    if(pSD != NULL) 
        LocalFree((HLOCAL) pSD); 
    if(pACL != NULL) 
        LocalFree((HLOCAL) pACL);