Access Control Lists (ACL; rhymes with “cackle”) are used in two ways in Windows security. One type of ACL is designed to gate access, and the other is designed to audit access. The structure is the same in both cases, but the semantics of how the ACL is used differs. I'll focus first on ACLs that gate access, and then discuss how ACLs used for auditing differ. If you've read my discussion of security descriptors in Item 42, you'll recognize where these two types of ACLs are found. The DACL in a security descriptor is used to gate access whereas the SACL is used for auditing.

The basic structure of an ACL is shown in Figure 43.1. Each record in it is called an Access Control Entry, or ACE, and includes ...