Viewing a DACL

This exercise complements material in the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide.

Use this exercise to view a Discretionary Access Control List (DACL) on a Windows 10 system.

Requirements: This exercise assumes you’re running a Windows 10 system.

1) Open File Explorer.

One way is to press the Windows logo + E keys to launch File Explorer. The Windows logo key is just to the left of the left Alt key on most keyboards.

Another way is to right click over the Start button and select File Explorer.

2) Open the C: drive to access the folders.

3) Right click any folder and select Properties.

4) Select the Security tab. Your display will look similar to the following graphic:

  • You will see  user accounts, group accounts, or both.
  • Each account is identified in the Security Accounts Manager (SAM) with a security identifier (SID). SIDs are rather cryptic and look something like this: S-1-5-21-3991871189-223218. Each SID is matched to the user account name.
  • Instead of displaying the cryptic SID, the system displays the user’s account name or the group name (as long as it can find it in the SAM).
  • When you select an account, you can see the permissions assigned to the account. For example, Administrators is selected and you can see the permissions for the Administrators group in the graphic.  If you select a different group or user, you will see the permissions assigned to that group or user.
  • The combination of each account and it’s assigned permissions is an Access Control Entry (ACE).
  • The combination of ACEs is the ACL for the folder.
  • The list of entries for User accounts are shown with an icon of one head and group accounts are shown with an icon of two heads. The access control list (ACL) identifies each of these internally with security identifiers (SIDs) that look similar to this: S-1-5-21-3991871189-223218. However, the system looks up the SID.

Back to SY0-501 Security+ labs.