Security Identifier
From Wikipedia, the free encyclopedia
In the context of the Microsoft Windows NT line of operating systems, a Security Identifier (commonly abbreviated SID) is a unique name (an alphanumeric character string) which is assigned by a Windows Domain controller during the log on process that is used to identify a subject, such as a user or a group of users in a network of NT/2000 systems.
Contents |
[edit] Overview
Windows grants or denies access and privileges to resources based on access control lists (ACLs), which use SIDs to uniquely identify users and their group memberships. When a user logs into a computer, an access token is generated that contains user and group SIDs and user privilege level. When a user requests access to a resource, the access token is checked against the ACL to permit or deny particular action on a particular object.
SIDs are useful for troubleshooting issues with security audits, Windows server and domain migrations.
SID has format as follows: S-1-5-21-7623811015-3361044348-030300820-1013
- S - The string is a SID.
- 1 - The revision level (the version of the SID specification).
- 5 - The identifier authority value.
- 21-7623811015-3361044348-030300820 - domain or local computer identifier
- 1013 – a Relative ID (RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater.
Possible identifier authority values are:
- 0 - Null Authority
- 1 - World Authority
- 2 - Local Authority
- 3 - Creator Authority
- 4 - Non-unique Authority
- 5 - NT Authority
- 9 - Exchange 2007 Authority
[edit] Well-known security identifiers
A number of "well-known" security identifiers are defined by the operating system so as to ensure that specific system accounts can always be found. Microsoft maintains a complete list of these identifiers in a knowledge base article.[1]
| SID | Description |
|---|---|
| S-1-5-18 | Local System, a service account that is used by the operating system. |
| S-1-5-19 | NT Authority, Local Service |
| S-1-5-20 | NT Authority, Network Service |
| S-1-5-domain-500 | A user account for the system administrator. By default, it is the only user account that is given full control over the system. |
| S-1-5-domain-501 | Guest user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled. |
| S-1-5-domain-512 | Domain Admins - a global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group. |
| S-1-5-domain-513 | Domain Users. |
| S-1-5-domain-514 | Domain Guests - A global group that, by default, has only one member, the domain's built-in Guest account. |
[edit] Duplicated SIDs
The problem with duplicated SIDs in a Workgroup of computers running Windows NT/2K/XP is only related to different user accounts having the same SID. This could lead to unexpected access to shared files or files stored on a removable storage: If some ACLs (Access control lists) are set on a file, the actual permissions can be associated with a user SID. If this user SID is duplicated on another computer (because the computer SID is duplicated and because the user SIDs are built based on the computer SID + a sequential number), a user of a second computer having the same SID could have access to the files that the user of a first computer has protected.
Now the truth is that when the computers are joined into a domain (Active Directory or NT domain for instance), each computer has a unique Domain SID which is recomputed each time a computer enters a domain. Thus there are usually no real problems with Duplicated SIDs when the computers are members of a domain, especially if local user accounts are not used. If local user accounts are used, there is a potential security issue that is the same as the one described above when the computers are members of a Workgroup but that affects only the files and resources protected by local users, not by domain users.
In other words, duplicated SIDs are usually not a problem with Microsoft Windows systems. However Microsoft does provide a utility to change a machine SID: NewSID - Microsoft TechNet
But other programs that detect SIDs might have problems with its security.
[edit] Machine SIDs
The machine SID is stored in the SECURITY registry hive located at SECURITY\SAM\Domains\Account, this key has two values F and V. The V value is a binary value that has the computer SID embedded within it at the end of its data (Last 96 bits).[2]
- "NewSID ensures that this SID is in a standard NT 4.0 format (3 32-bit subauthorities preceded by three 32-bit authority fields). Next, NewSID generates a new random SID for the computer. NewSID's generation takes great pains to create a truly random 96-bit value, which replaces the 96-bits of the 3 subauthority values that make up a computer SID."
- From NewSID readme.
[edit] Decoding Machine SID
—The SID number is used in file, registry, service and users permissions. The machine SID is determined in hexidecimal form from here:regedit.exe -> \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\V (last 12 bytes) explorer.exe -> \%windir%\system32\config\SAM If the SAM file is missing at startup, a backup is retrieved in hexidecimal form here: regedit.exe -> \HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAcDmS\@ (last 12 bytes) explorer.exe -> \%windir%\system32\config\SECURITY Sometimes the SID number is referenced in decimal form.
Security Accounts Manager, clark@hushmail.com
| Example |
2E,43,AC,40,C0,85,38,5D,07,E5,3B,2B
|
|---|---|
| 1) Divide the bytes into 3 sections: |
2E,43,AC,40 C0,85,38,5D 07,E5,3B,2B
|
| 2) Reverse the bytes of each section: |
40,AC,43,2E 5D,38,85,C0 2B,3B,E5,07
|
| 3) Convert each section into decimal: |
1085031214 1563985344 725345543
|
| 4) Add the machine SID prefix: |
S-1-5-21-1085031214-1563985344-725345543
|
[edit] See also
- Access control
- Access Control Matrix
- Discretionary Access Control (DAC)
- Globally Unique Identifier (GUID)
- Mandatory Access Control (MAC)
- Role-Based Access Control (RBAC)
- Capability-based security
- Post-cloning operations
[edit] References
- ^ "Well-known security identifiers in Windows operating systems (MSKB 243330)". Knowledge Base. Microsoft. February 28, 2007. http://support.microsoft.com/kb/243330. Retrieved on 2007-12-08.
- ^ "MS TechNet NewSID Utility - How It Works". Knowledge Base. Microsoft. November 1, 2006. http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx. Retrieved on 2008-08-05.
