Exactly what I said. “What the h-e-double-hockey-sticks is that”? SDDL, of course. I ran into it yesterday when debugging a production issue on some ASP.NET applications, and since I’d never seen or heard of it before I thought I’d better get it down before I forget (i.e. tomorrow.) Turns out this didn’t lead to the solution of the production problem, but it was educational nonetheless.
The problem we were seeing was that when using impersonation (impersonate=true in a web.config) with NTLM security we were getting access denied errors. Turns out the errors were due to permissions on creating temporary ASP.NET files for the specific users (since IIS is impersonating each authenticated user when creating temp files), but the search led me to SDDL first. We were originally thinking that the access denied errors were errors thrown when the app was attempting to log an error into the event log since the last release involved the creation of a new event source. Really a rediculous conclusion in hindsite considering that we were being notified of the access denied errors through the event log source which we were questioning the security settings of. Anyway.
SDDL is a language used to set permissions on the event log. Read, Write and Clear can all be granted or restricted for groups of users or specific users. I’m sure it has other uses as well, but this is how I came to be aware of its existance. It’s really not too difficult to understand. I won’t go into the details, but instead here are some links I found useful when trying to figure out how to read and manipulate it.
Security Newsgroup Posting covering some event log specifics
This google groups posting, which looks like it’s from a blog somewhere (looks like I screwed up that link as it’s not going where I wanted…will update later if I find it again)
Finally, the google groups posting that lead me down the path in the first place