Re: Prevent changing DACL by SetSecurityInfo

If the other program is running as the same user as the object owner, then it can always rewrite the DACL (via opening the object with WRITE_DAC).
If the other program has certain privileges (SeRestorePrivilege, SeTakeOwnershipPrivilege - typically granted to local system, builtin\administrators, and backup operators), then it will also be able to rewrite the DACL freely as well.

Ken Johnson (Skywing)
Windows SDK MVP
"mario.beutler" <mario.beutler@xxxxxxxxxx> wrote in message news:1170845384.613705.114460@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

my service creates a Named Pipe with SECURITY_ATTRIBUTES (DACL) which
limit the access to SID of the active user. Is it possible that
another program change the DACL of the Named Pipe that everyone have
How can I prevent this?
Thanks for your help!


My DACL is:
"D:"+SDDL_PROTECTED // Discretionary ACL
"(D;OICI;GA;;;BG)" // Deny access to built-in guests
"(D;OICI;GA;;;AN)" // Deny access to anonymous logon

Does I have to add "(A;OICI;GRGWGX;;;CO)" // Allow read/write/execute
to creator/owner?