We recommend using Visual Studio 2017
This documentation is archived and is not being maintained.


warning C6248: setting a SECURITY_DESCRIPTOR’s DACL to NULL will result in an unprotected object

This warning identifies a call that sets a SECURITY_DESCRIPTOR's DACL field to null. If the DACL that belongs to the security descriptor of an object is set to NULL, a null DACL is created. A null DACL grants full access to any user who requests it; normal security checking is not performed with respect to the object. A null DACL should not be confused with an empty DACL. An empty DACL is a properly allocated and initialized DACL that contains no ACEs. An empty DACL grants no access to the object it is assigned to.

Objects that have null DACLs can have their security descriptors altered by malicious users so that no one has access to the object.

Even if everyone needs access to an object, the object should be secured so that only administrators can alter its security. If only the creator needs access to an object, a DACL should not be set on the object; the system will choose an appropriate default.


The following code generates this warning because a null DACL is passed to the SetSecurityDescriptorDacl function:

#include <windows.h>

void f( PSECURITY_DESCRIPTOR pSecurityDescriptor )
  if (SetSecurityDescriptorDacl(pSecurityDescriptor,
                                TRUE,     // Dacl Present
                                NULL,     // NULL pointer to DACL    
                                FALSE))   // Defaulted

      // Dacl is now applied to an object

To see a complete example on how to create security descriptor, see Creating a Security Descriptor for a New Object in C++.

See Also

Other Resources

Creating a DACL