Access Control List: What is the ACL?

The Access Control List or ACL is used by operating systems to track which accounts hold which permissions for different objects and resources. Read on to learn about the ACL in Windows.

General Information

Access Control Lists (ACL) are generally used to limit access to data objects. An ACL contains a number of entries, which are called ACEs (Access Control Entries); each ACE describes one individual access rule. For example, an entry might set a user’s permissions for an object (like a file on the file server) to a specific level, e.g. “Read”, “Write”, “Full Control”.

The ACL is how Windows authorizes users to access different resources. Read our blog post to learn more about authentication and authorization in Windows.

ACL in Microsoft Windows

In Microsoft Windows, several object types can have an ACL through a security descriptor, e.g. processes, directories, files, organizational units (OU) in Active Directory, Exchange mailboxes and so on. Regarding ACLs in an NTFS file system, the following options for ACEs within an ACL are available:

  • Both single users and groups can be authorized. Windows will display the name of the user or group, even though the entry will contain the SID of the respective object.

  • The users and groups could be either local computer users or Active Directory users/groups.

  • Permissions can be granted or denied (entries that deny permissions are automatically written at the beginning of an ACL, meaning that deny always takes priority).

  • Entries can either be propagated by the parent folder or they can be set explicitly (explicitly set entries rank above inherited entries).

  • Each entry can comprise specific permissions (the NTFS specifies which permissions exist).


Best Practices for Access Management In Microsoft® Environments

Our in-depth guide explains how to manage access securely and efficiently from a technical and organizational standpoint, including tips for implementation, reporting and auditing.

About the Author: Helmut Semmelmayer

Helmut Semmelmayer currently heads channel sales at the software company tenfold software. He looks back on 10 years of involvement in the identity and access management market. Having worked on countless customer projects, he has extensive knowledge of the challenges that organizations face when it comes to protecting data from unauthorized access. His goal is to educate businesses and build awareness for current and future access-based attack patterns.