Access Control List in C# and .NET Framework

Access Control Lists used by Operating System to restrict access to files, folders, registry, printers, services, and other resource. We need to know ACL for several reasons. First of all, we need to know how to protect files, folder and etc… with ACLs from within our code and second of all we need to know how to allow certain access to files and folders if we require access for our application but default permission is restricting us from access these resources.

Discretionary access control list (DACL) is a mechanism that is utilized by OS in order to allow or restrict access by the users or groups to certain resources such as files and folders. In general, DACL is controlled by the owner of the object. User access to object are is controlled with the help of Access Control Entries (ACE).

Permissions are inherited for the most of the part. For instance, if we create subfolder, this subfolder will inherit permissions set for its parent folder same applies for registry key and other objects.

.NET Framework allows us to use FileSystemRights enumeration to specify file and folder permissions.

 

FileSystemRights MemberDescription
FullControl All permissions
Modify All folders permissions
ReadAndExecute View files and run applications
ListDirectory Browse a folder
Read View a file or a folder
Write Create files in a directory
Other members Standard permissions

Security access control list (SACL) is an audit mechanism that tracks what files or folders were accessed and how they were accessed. SACL can do only one thing which is logging access information. This capability is good for intrusion detection for example.

If we want to work with ACL by viewing them or configuring, we need to use System.Security.AccessControl namespace. We can use classes of this name space to access ACL, SACL, and DACL for file, folder, registry key and etc…

Three ACL classes are important to know. They are:

  • <Type>Security - used for retrival of collections of DACL and SACL as well as adding and removing ACLs.
  • <Type>AccessRule – set of access rights for users or group of users.
  • <Type>AuditRule - set of access rights that we want to audited for a user or group.
We can analyze ACL like that:

DirectorySecurity ds = new DirectorySecurity(@"C:\Program Files", AccessControlSections.Access);
AuthorizationRuleCollection arc = ds.GetAccessRules(true, true, typeof(NTAccount));
foreach (FileSystemAccessRule ar in arc)
    Console.WriteLine(ar.IdentityReference + ": " + ar.AccessControlType + " " + ar.FileSystemRights);

We can configure ACL like that:

string dir = @"C:\test";
DirectorySecurity ds = Directory.GetAccessControl(dir);
ds.AddAccessRule(new FileSystemAccessRule("Guest", FileSystemRights.Read, AccessControlType.Allow));
Directory.SetAccessControl(dir, ds);

To remove an access rule we use AddAccessRule with RemoveAccessRule.

We can also set access rule using SetAccessRuleProtection(true, true) if we need to protect ourselves from inheriting local securyt and setting the one we are coping from.