In the book 'Engineering Information Security' by Stuart Jacobs, it's stated that the preferred order for ACEs inside an ACL is the following:
- Explicit ACEs (access-denied/allowed) come first. Access-denied ACEs are placed before access-allowed ACEs.
- Inherited ACEs are placed in the order in which they are inherited.
- For each level of inherited ACEs, access-denied ACEs are placed before access-allowed ACEs.
Reading this has made me wonder, why should access-denied ACEs always come before access-allowed ones? Is it just to match the way the authentication algorithm works? And if so, is there any particular reason for why the access-denied ACEs are checked first?
Thanks in advance.