Numeric FilePermissionRights in Windows (Generic Access Rights)

While performing an SMB share permissions review we discovered some fileshares with numeric permissions like 268435456 that did not translate to a Human-readable permission set (such as FullControl or ReadAndExecute). We wanted to better understand the numeric permissions.



Looking into the permission values I found that when the value doesn't directly track to an entry in the FileSystemRights enum, you get number instead of a friendly name. When this happens, you need to convert the number to binary and treat each bit as a flag. Here's the access mask mapping for reference:

What does 268435456 mean?

To figure this out:

  1. We first convert to binary: 268435456 == ‭00010000000000000000000000000000‬
  2. Compare against the chart
  3. Note the permission is Generic_ALL

What does -1610612736 mean?

  1. Ignore the minus sign
  2. Convert to binary: 1610612736 == 10100000000000000000000000000000
  3. Compare against the chart
  4. Note the permission is Generic_Read and Generic_Execute

What Are 'Generic' Permissions?

When you look at the access mask above, you'll note there are Standard acces rights, Object-specific access rights, 'Generic' rights and a few reserved bits. Digging into Generic access, they can mean anything as anyone can make a generic mapping. In practice, each object decides what generic access means and hopefully it tracks with user expectations for the corresponding generic operation (r/w/x).

Permissions in Windows span object types and can include (but are not limited to) Filesystems and System Registry. I think Generic rights probably helped reduce the overall complexity of the windows permission model by allowing flexibility based on object type. For more reading, do an in-page search for Generic after visiting Access Control: Understanding Windows File And Registry Permissions

Considerations and Thoughts

If you spot broad-access permissions, keep in mind who the permissions are granted to. Everyone grants many more people or systems access whereas a named entity can be more specific and limit the overall effects of the broad permissions. Granting broad permissions to your co-founder poses less risk that your data will be accessed inappropriately compared to granting world access.

There is a lot to unpack here and I've only covered enough to figure out why we sometimes see numeric values instead of human-readable enum values.