SOLVED: What is the ACCESS_SYSTEM_SECURITY NTFS right seen in Get-ACL with a value of 16777216 (&H1000000)?

When you run the Get-Acl command you may sometimes find that the values are presented as a number rather than a resolved enum value such as "Modify".

We recently had the issue where we were seeing the value 16777216.


This resolves to ACCESS_SYSTEM_SECURITY - but what is this permission and why isn't this being resolved?

Even stranger when you view the NTFS permissions nothing is selected in the user interface.


It turns out that the ACCESS_SYSTEM_SECURITY permission isn't really an NTFS security right at all as described here.
https://learn.microsoft.com/windows/win32/secauthz/sacl-access-right

This right is an additional assertion that must be provided when you access the system access control list (SACL) of a security description - the SACL is the way Microsoft refers to the auditing rules within the operating system. 

It's a slightly strange naming convention but according to Dave Plummer likely to make sure it was in line with the naming of the DACL but also clearly separate - auditing being a key security requirement for government and enterprise customers during Windows NT's inception. 

... also Microsoft's marketing department wasn't as big to come up with nice names for things.

This may seem strange - you can view the NTFS Permissions without ACCESS_SYSTEM_SECURITY but you can't view auditing rules. 

You can see this yourself by running PowerShell as a normal user and running Get-Acl and you'll see the command works, however if you run Get-Acl with the -Audit parameter to see the auditing rules you see the following error even if you have full permissions to the folder or file.

Get-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.

The same is seen in the user interface - the permissions tab is visible but the auditing tab has a UAC prompt.


Why is this additional permission required? Because if a user who has full permissions to their own folder could change auditing rules they would be able to revoke the Administrators' ability to audit their actions within that part of the filesystem and could potentially hide malicious activity.


So if ACCESS_SYSTEM_SECURITY is not an actual NTFS right why is it seen as 16777216 (&H1000000) in Get-Acl?

ACCESS_SYSTEM_SECURITY (16777216) is not an actual NTFS right so is only seen in Get-Acl within the auditing rules (not the access rules).

It is shown in the auditing rules so that it's possible to audit when someone is using this right and therefore able to modify the audit rules for a folder or file.

Why is the value not shown and nothing shown within the user interface (as seen above)? I suspect that this is because this is not a real NTFS permission therefore it would have to either be missing from the NTFS permissions section or greyed out. Secondly "Access System Security" is a confusing bit of terminology and would have to be displayed it as "Audit access to audit rules". I suspect Microsoft thought it was all too much of a muddle and decided to hide it but leave it as a flag you could set using a script or API.

In summary ACCESS_SYSTEM_SECURITY (16777216) can be set as a hidden flag in an auditing rule for a file or folder to audit when someone clicks "Continue" on the auditing tab to view the auditing rules.


 We document this audit rule permission with XIA Configuration Server -while you're here why not check out our 
IT documentation tool?


Comments

Post a Comment

Popular posts from this blog

SOLVED: Exchange Online Management PowerShell Connect-ExchangeOnline bug "A window handle must be configured. See https://aka.ms/msal-net-wam#parent-window-handles"

Image
While you're here why not check out our  Exchange audit and documentation tool ? If you're using the Exchange Online Management PowerShell cmdlets you may notice that the following error: A window handle must be configured. See https://aka.ms/msal-net-wam#parent-window-handles This error appears in version 3.7.0 (and persists in version 3.7.1) when the following change was made. Integrated WAM (Web Account Manager) in Authentication flows to enhance security. You notice that this error occurs in PowerShell ISE but not in a PowerShell, the issue also appears in any Windows based applications - for example a WinForms application that tries to execute Connect-ExchangeOnline PowerShell ISE A .NET console application does work correctly. .NET console application While you're here why not check out our  Exchange audit and documentation tool ? The error occurs because Microsoft has made the (correct) decision that when an interactive login prompt it must have a parent window so t...
Read more

Windows Server 2016, 2019, 2022, Windows 10 and Windows 11: Date and time "Some settings are managed by your organization".

Image
When you're using the new "Modern" date and time settings in Windows Server 2016, 2019, 2022, Windows 10 and Windows 11 you may find that you can't set the correct date and time and the value "Some settings are managed by your organization". - While you're here - Why not check out our Windows Server Documentation and Audit Tool? The simplest way around this is to go back to the proper control panel using Start, Run, "Control.exe" and searching for "Set the date".  Within here you can set the date and time manually as required If you try and click the Change time zone button you may again get access denied... To resolve this open an elevated command prompt by right clicking the command prompt and selecting Run as Administrator  From there run the command rundll32.exe shell32.dll,Control_RunDLL timedate.cpl This will open the Data and Time control panel app elevated as an Administrator.
Read more

TFTPD32 or TFTPD64 reports Bind error 10013 An attempt was made to access a socket in a way forbidden by its access permissions.

Image
When you start the trivial FTP (TFTP) server application TFTPD32 or TDTPD64 you may see the following error Bind error 10013 An attempt was made to access a socket in a way forbidden by its access permissions. This can be because another application is using this port. The easiest way to check if (and which) application is using the port is as administrator run an elevated command prompt and enter netstat -anb > ports.txt Then open ports.txt in Notepad and search for :69, you'll quickly be able to see the process using the required port - While you're here - Why not check out our Windows Server Documentation and Audit Tool?
Read more