Denying Access

You can deny all access to an object by adding an empty discretionary access-control list (DACL) to the object's security descriptor. An empty DACL has no access-control entries (ACEs), which means that the DACL does not grant access to anyone. Note that this is different from a security descriptor that has no DACL; in that case, the system grants everyone full access to the object. You can also prevent a specified trustee from gaining access to an object by using a DACL that has one or more access-denied ACEs.

This topic includes examples that use the high-level access-control functions that are new for Windows NT version 4.0. For an example that uses the older low-level access control functions, see Denying Access Using Low-Level Functions.

The high-level examples use the SetEntriesInAcl function to create an ACL. Then they use the SetNamedSecurityInfo function to attach the ACL as the DACL of an object. Note that these examples can work with a variety of named securable objects, such as files, registry keys, and synchronization objects.

The first example shows how to add an empty DACL to an object's security descriptor. The effect is to deny all access to the object.

DWORD SetEmptyDACL(LPTSTR lpObjectName, SE_OBJECT_TYPE ObjectType)

{

DWORD dwRes;

PACL pDacl;

if (NULL == lpObjectName)

return ERROR_INVALID_PARAMETER;

// create an ACL with no ACEs

dwRes = SetEntriesInAcl(0, NULL, NULL, &pDacl);

if (ERROR_SUCCESS != dwRes)

return dwRes;

// attach the emtpy ACL as the object's DACL

dwRes = SetNamedSecurityInfo(lpObjectName, ObjectType,

DACL_SECURITY_INFORMATION,

NULL, NULL, pDacl, NULL);

// free the buffer returned by SetEntriesInAcl

LocalFree(pDacl);

return dwRes;

}

You can modify this example to deny access to a specified trustee. The following variation uses the BuildExplicitAccessWithName function to initialize an EXPLICIT_ACCESS structure with the data for an access-denied ACE. Then it uses the SetEntriesInAcl and SetNamedSecurityInfo functions to create the ACL and attach it to the object.

#include <aclapi.h>

DWORD dwRes;

PACL pDacl;

EXPLICIT_ACCESS ea;

// initialize an EXPLICIT_ACCESS structure to deny access

ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));

BuildExplicitAccessWithName(&ea,

"ludwig", // name of trustee

GENERIC_ALL, // type of access

DENY_ACCESS, // access mode

NO_INHERITANCE); // inheritance mode

// create an ACL with one access-denied ACE

dwRes = SetEntriesInAcl(1, &ea, NULL, &pDacl);

if (ERROR_SUCCESS != dwRes)

return dwRes;

// attach the ACL as the object's DACL

dwRes = SetNamedSecurityInfo(TEXT("myfile"), SE_FILE_OBJECT,

DACL_SECURITY_INFORMATION,

NULL, NULL, pDacl, NULL);

// free the buffer returned by SetEntriesInAcl

LocalFree(pDacl);