Call to action and resources (Windows security model)

This article contains call to action recommendations and resources for the Windows security model.

  • Set strong default ACLs in calls to the IoCreateDeviceSecure routine.
  • Specify ACLs in the INF file for each device. These ACLs can loosen tight default ACLs if necessary.
  • Set the FILE_DEVICE_SECURE_OPEN characteristic to apply device object security settings to the device namespace.
  • Do not define IOCTLs that permit FILE_ANY_ACCESS unless such access cannot be exploited maliciously.
  • Use the IoValidateDeviceIoControlAccess routine to tighten security on existing IOCTLS that allow FILE_ANY_ACCESS.

For more information, see:

  • Writing Secure Code, Second Edition. LeBlanc, David and Michael Howard. Redmond, WA: Microsoft Press, 2003.
  • Windows Internals, Part 1 / Windows Internals, Part 2, Sixth Edition. Mark Russinovich, David Solomon and Alex Ionescu. Redmond, WA: Microsoft Press, 2012.
  • Windows Driver Kit (WDK)



Send comments about this topic to Microsoft