Home

SACL

System Access Control List (SACL) is a component of security descriptors used by Windows operating systems to define auditing requirements for securable objects such as files, folders, registry keys, and services. The SACL is separate from the DACL (Discretionary Access Control List), which determines whether access is allowed or denied; the SACL determines which access attempts should be recorded in the Security log.

A SACL contains one or more SYSTEM_AUDIT ACEs. Each ACE specifies a principal (user or group), an

SACLs can be inherited by child objects, allowing auditing rules to propagate to objects created within a

Management and privileges: editing a SACL requires appropriate security privileges, typically SeSecurityPrivilege (the right to manage

In summary, the SACL governs auditing behavior for a securable object, complementing the DACL by specifying

access
mask
describing
what
operations
to
audit
(read,
write,
delete,
etc.),
and
audit
flags
that
indicate
whether
successful
accesses,
failed
accesses,
or
both
should
be
logged.
When
a
subject
attempts
an
access
that
matches
an
audit
ACE,
Windows
writes
an
audit
event
to
the
Security
log.
container.
Common
use
cases
include
monitoring
sensitive
files,
registry
keys,
or
configuration
objects
for
unusual
or
unauthorized
access,
supporting
compliance
and
forensic
investigations.
auditing
and
the
security
log)
or
equivalent
access.
SACLs
are
usually
configured
via
the
object's
Advanced
Security
Settings
(Audit
tab)
or
via
command-line
tools
and
PowerShell,
using
utilities
that
modify
security
descriptors.
when
and
what
to
log
about
access
attempts.