Many people ask, "Well, now that you've told us which discretionary ACLs (DACLs) we need to set, how do we do it?" Before Windows 2000, defining an access control entry (ACE) was a difficult task that involved SIDs, Security Descriptor (SD), and various other handles, data structures, and function calls. However, Win2K includes a new function called ConvertStringSecurityDescriptorToSecurityDescriptor() to help you define DACLs.
Listing A contains sample code for creating a directory with a predefined DACL. You can compile this C++ code into your C++ application (e.g., setup code). The variable pwszSD in the If...Then statement contains a textual representation of the DACL, using the Security Descriptor Definition Language (SDDL). You can find full details about SDDL in sddl.h, which is available in the Microsoft Platform software development kit (SDK) and at http://msdn.microsoft.com/library/psdk/winbase/accctrl_757p.htm. Web-exclusive Table A provides a breakdown of the pwszSD variable string.
You can use this Win2K function as part of your setup program to set ACLs. Alternatively, if you have a predefined custom application, you can create a tool that deploys this ACL policy after setup and configuration. Don't rely on the default OS ACLs—Microsoft designed them to be as general as possible without being too great a hindrance to the user. Set up the ACLs that are appropriate to the business requirements of your application.