SDDL – easier to read, except when it’s not. – Tales from the Crypto

SDDL – easier to read, except when it’s not.

SDDL was introduced by Microsoft in Windows 2000, as a counter to the difficulty developers had in writing (and administrators had in reading) Security Descriptors, and specifically the Access Control Lists that come with them.

The recent advisory about service security settings (the title says “possible vulnerability” – as far as I’m concerned, it’s definite – I’ve exploited it on a couple of our own machines in XP SP1) led me to check on some other services, particularly the one that I make and sell.

My service turned out to be alright, and then a friend emailed me to ask about our favourite target: Quickbooks.  The new Quickbooks 2006 includes a system service.  I got Susan to list the SD on the service:

 C:\Documents and Settings\Administrator>sc sdshow QuickBooksDB


Wow – that’s confusing, isn’t it?  Okay, let’s deconstruct it – “D:” at the start indicates it’s a “Discretionary ACL” or “DACL” – this is a list of things that users / groups can / cannot do.  The “S:” towards the end is for a “SACL” – “System ACL”, which lists what gets logged.

Let’s look at a sample DACL Access Control Entry (ACE):


The “A” means “Allow” – this ACE lists what the user is allowed to do.  The “SY” means that the user being described is the local system.

The rights in the middle are made up of selections of pairs of letters:


So, that explains it, right?  Well, not exactly – what does it mean to “Create Child” on a service?  To “List Child” on a service?

After a lot of looking, I find that there really isn’t any sensible meaning to those.  The trick is to ignore those names.  Instead, think of the pairs of letters as representing numbers:

CC is listed as being equivalent to SDDL_CREATE_CHILD, or ADS_RIGHT_DS_CREATE_CHILD – and that last name has the value ‘1’ in the header file IADS.H.

Oh yes, you have to have the Platform SDK or other source of Windows Include Files to figure this out.

Then you go to the header file WinSvc.h, and find that SERVICE_QUERY_CONFIG is a right, and has the value 1.


To help you, I did the work and came up with:

CC – SERVICE_QUERY_CONFIG – ask the SCM for the service’s current configuration
LC – SERVICE_QUERY_STATUS – ask the SCM for the service’s current status
SW – SERVICE_ENUMERATE_DEPENDENTS – list dependent services
RP – SERVICE_START – start the service
WP – SERVICE_STOP – stop the service
DT – SERVICE_PAUSE_CONTINUE – pause / continue the service
LO – SERVICE_INTERROGATE – ask the service its current status
CR – SERVICE_USER_DEFINED_CONTROL – send a service control defined by the service’s authors
RC – READ_CONTROL – read the security descriptor on this service.

SDDL turns out to be absolutely no use whatever in figuring any of this out, and I couldn’t find a tool on Microsoft’s site that adequately lists service rights in such a way that an admin might understand them.  Maybe I’m just not looking in the right place – if you know of any, please let me know!

Is it any wonder that there’s a difficulty with service writers and administrators incorrectly setting access rights?  How do you guys configure security descriptors on objects like services?

One Response to SDDL – easier to read, except when it’s not.

Leave a Reply

Your email address will not be published. Required fields are marked *