Access Control Entry. An entry in an ACL that contains: a SID that specifies a particular user or group; an access mask that specifies access rights; a set of bit flags that determine whether or not child objects can inherit the ACE; a flag that indicates the type of ACE.
Access Control List. List of access permissions that apply to an object. The list identifies users and groups that are allowed access and what operations are allowed to be performed.
Tree data structure that keeps data sorted and allows searches, insertions, and deletions in logarithmic amortized time. It is most commonly used in databases and file systems.
Tree data structure with sorted data records, each of which is identified by a key. It is a dynamic, multilevel index, with maximum and minimum bounds on the number of keys in each index segment (usually called a 'block' or 'node'). In a B+ tree, in contrast to a B-tree, all records are stored at the lowest level of the tree; only keys are stored in interior blocks.
Discretionary Access Control List. Part of the Security Descriptor that controls access to an object and contains ACEs that specify what access is permitted. The object's owner passes permission (directly or indirectly) through this descriptor.
Potentially non-unique shorthand representation of a descriptor.
Locally Unique Identifier. 64-bit value guaranteed to be unique only on the system on which it was generated (while system remains running).
Portable Operating System Interface. Family of related standards to define the API (Application Programming Interface) for software compatible with variants of the Unix operating system.
System Access Control List. Part of the Security Descriptor that controls how access is audited. It contains ACEs that specify how access to the object (by permitted accounts) should be recorded in the audit log.
Security Accounts Manager. Secure database of user accounts stored in the Windows registry.
Index attribute in the $Secure file. Lets NTFS quickly determine whether a security descriptor that is being applied to a file or directory is already stored in the $Secure file and whether it can be shared.
|$SDS Data Stream||
Security Descriptor Stream. Named data stream that contains a list of all the Security Descriptors on a volume.
Metadata file that operates as a central file system security database for NTFS permissions.
Part of the SDS Data Stream that contains security information about an object.
File system object identifier ($STANDARD_INFORMATION field) used as key in $SII index and $SDS data stream in $Secure file.
Security Identifier. Unique value of variable length that is used to identify a security principal or security group.
Security ID Index. Index attribute in the $Secure file that contains a calculated Hash and a corresponding $SDS Offset. The $SII index lets NTFS quickly look up a security descriptor in the $Secure file while performing security checks.
- NTFS Permissions
- Setting Permissions
- File and Folder Basic Permissions
- File and Folder Advanced Permissions
- Effective Permissions
- Changing Ownership of Files and Folders
- Moving and Copying Protected Files
- Troubleshooting Access to Files and Shared Folders
- Permissions for Other Objects
- User Rights vs. NTFS Permissions
- Share Permissions vs. NTFS Permissions
- Explicit vs. Inherited Permissions
- Allow vs. Deny Permissions
- Permission Precedence
- Combining Shared Folder Permissions and NTFS Permissions
- Sharing and Adding Permissions
- Backing up and Restoring NTFS Permissions on a Specified Volume
- Off-line Access to Shared Folders (Caching)
- Metafile $Secure
- Appendix. Script to Backup or Restore NTFS Permissions