Making more sense of service SDDL
Thanks to Dana Epp's blog for drawing my attention to Microsoft's rather easier-to-read explanation of SDDL as it applies to services in the KB article "Best practices and guidance for writers of service discretionary access control lists".
Oh, and of course, thanks to Microsoft for explaining it all. I'm sure I'm not the only service author or administrator that has been confused by the SDDL output from "sc sdshow". Now, if only we could get some tools that would allow us to surf through DACL-space... I'm brainstorming for ideas, but haven't yet had any that I can put into code.
The really scary part about DACLs, of course, is that anyone can create a new secured object, and define what the various bit-fields of the ACE mean... there's no good way to enforce documentation of security flags, and (as we've seen here) few tools or documentation already existing that help you interpret even the system-enforced security object DACLs.