Platform SDK: Access Control

Automatic Propagation of Inheritable ACEs

In Windows NT versions 4.0 and earlier, a securable object could inherit ACEs only when it was being created or when a new ACL was being applied to the object. The system did not propagate inheritable ACEs to existing child objects. The system did not differentiate between inherited ACEs and ACEs that were applied directly to the object. The system did not allow an object to protect itself from inherited ACEs.

For Windows 2000, the SetNamedSecurityInfo and SetSecurityInfo functions support automatic propagation of inheritable ACEs. For example, if you use these functions to add an inheritable ACE to a directory in an NTFS file system, the system applies the ACE as appropriate to the ACLs of any existing subdirectories or files.

Windows 2000 also introduces a new inheritance model in which directly applied ACEs have precedence over inherited ACEs. The system implements this precedence by placing directly applied ACEs ahead of inherited ACEs in a DACL. Earlier versions of Windows NT did not distinguish between inherited and directly applied ACEs. Consequently, the order of ACEs in a DACL is different for the current and the previous inheritance models. When you call SetNamedSecurityInfo and SetSecurityInfo to set an object's security information, the system imposes the new inheritance model on the ACLs of all objects in the hierarchy below the target object. For objects that have been converted to the new inheritance model, the SE_DACL_AUTO_INHERITED and SE_SACL_AUTO_INHERITED bits are set in the control field of the object's security descriptor.

When building the a new security descriptor reflecting the new inheritance model, care is taken to not change the semantics of the security descriptor. As such, allow and deny ACEs are never moved in relation to one another. If such movement is needed (for instance to place all non-inherited ACEs at the front of an ACL), the ACL is marked as protected to prevent the semantic change.

The system uses the following rules for propagating inherited ACEs to child objects.

These rules can have the unexpected result of converting an object with no DACL to an object with an empty DACL. An object with no DACL allows full access, but an object with an empty DACL allows no access. As an example of how these rules can create an empty DACL, suppose you add an inheritable ACE to the root object of a tree of objects. Automatic inheritance propagates the inheritable ACE to all the objects in the tree. Child objects that started with no DACL now have a DACL with the inherited ACE. If you remove the inheritable ACE from the root object, the system automatically propagates the change to the child objects. Child objects that started with no DACL (allowing full access) now have an empty DACL (allowing no access).

To ensure that a child object with no DACL is not affected by inheritable ACEs, set the SE_DACL_PROTECTED flag in the object's security descriptor.