Earlier version of Windows (Windows 95, Windows 98, Windows ME) are all running as a single user desktop operating system and thus access control is unnecessary. However, start from Windows NT, following with Windows 2000, Windows XP, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008, are all use a system of access control lists (ACLs).
Windows resources, including files, registry, snychronization primitives (e.g mutexes, events), IPC mechanisms (e.g name pipes, mailslots), are all accessed through objects which may be secured using ACLs.
Access Control List Model
There are 2 types of ACLs in Windows: DACL and SACL.
Discretionary Access Control list (DACL)
A discretionary access control list (DACL) identifies the trustees that are allowed or denied to access an object. An object without DACL is essentially the equivalent of granting full access to everyone. DACL should contain one or more access control entries (ACEs) in order to protect the object from being unauthorized access by third party. If DACL has no ACEs, the system denies all attempts to access the object because the DACL does not allow any access rights.
The following examples describe some of the generic access right in details so that you have a better understanding on how it work.
DENY GENERIC_ALL Everyone
This ACE prevent anyone except the owner of the file from performing any action to the file.
ALLOW GENERIC_WRITE Sales
This ACE will allow anyone from the group of Sales to write to the file
ALLOW GENERIC_READ Everyone
This ACE allow everyone to read to the file
System Access Control List (SACL).
A system access control list (SACL) enables administrator to log attempts to access an object based on the audited policy. The administrator specifies the ACE for each trustee in the policy that are allowed or denied to access an object. SACL can generate audit records when an access attempt fails, when it succeeds, or both.
Access Control Entries (ACE)
ACE consists of three primary pieces of information, a security ID (SID), an access right, and a boolean indicator of whether to grant or denied the access right to the entity identified by the ACE’s SID.