• 5 min read
Windows Security SDDL Guide: Understanding Access Control
A comprehensive guide to Security Descriptor Definition Language (SDDL) - the cryptic but powerful language that controls Windows access permissions.
sddl windows access-control security permissions splunk
Originally published on the Splunk Security Blog
Read the full article: Windows Security SDDL Guide
What is SDDL?
Security Descriptor Definition Language (SDDL) is Windows’ way of representing access control in a text format. It looks like gibberish:
D:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)But once you understand it, SDDL becomes a powerful tool for both offense and defense.
SDDL Structure
O:owner_sid
G:group_sid
D:dacl_flags(ace_list)
S:sacl_flags(ace_list)ACE Format
Each Access Control Entry (ACE) follows this pattern:
(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)Common SIDs You’ll See
| SID | Meaning |
|---|---|
BA | Built-in Administrators |
SY | Local System |
WD | Everyone |
AU | Authenticated Users |
AN | Anonymous |
Why Defenders Should Care
Attackers modify SDDLs to:
- Grant themselves access to protected objects
- Hide persistence mechanisms
- Weaken security on critical services
- Enable lateral movement
Detection: SDDL Modifications
index=windows EventCode=4670
| rex field=Message "New SD:\s+(?<NewSD>.*?)Original SD:\s+(?<OldSD>.*)"
| where NewSD!=OldSD
| table _time, ObjectName, NewSD, OldSDSDDLMaker Tool
I built SDDLMaker to help parse and create SDDL strings without the headache.
Read the full guide: Windows Security SDDL Guide
Related Modules
Active
SDDLMaker
The home of the SDDLMaker. Parse, create, and understand SDDL strings.
sddl windows permissions security