Security Identifier

From Wikipedia, the free encyclopedia

Jump to: navigation, search

In the context of the Microsoft Windows NT line of operating systems, a Security Identifier (commonly abbreviated SID) is a unique name (an alphanumeric character string) which is assigned by a Windows Domain controller during the log on process that is used to identify a subject, such as a user or a group of users in a network of NT/2000 systems.


[edit] Overview

Windows grants or denies access and privileges to resources based on access control lists (ACLs), which use SIDs to uniquely identify users and their group memberships. When a user logs into a computer, an access token is generated that contains user and group SIDs and user privilege level. When a user requests access to a resource, the access token is checked against the ACL to permit or deny particular action on a particular object.

SIDs are useful for troubleshooting issues with security audits, Windows server and domain migrations.

SID has format as follows: S-1-5-21-7623811015-3361044348-030300820-1013

S - The string is a SID.
1 - The revision level (the version of the SID specification).
5 - The identifier authority value.
21-7623811015-3361044348-030300820 - domain or local computer identifier
1013 – a Relative ID (RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater.

Possible identifier authority values are:

  • 0 - Null Authority
  • 1 - World Authority
  • 2 - Local Authority
  • 3 - Creator Authority
  • 4 - Non-unique Authority
  • 5 - NT Authority
  • 9 - Exchange 2007 Authority

[edit] Well-known security identifiers

A number of "well-known" security identifiers are defined by the operating system so as to ensure that specific system accounts can always be found. Microsoft maintains a complete list of these identifiers in a knowledge base article.[1]

SID Description
S-1-5-18 Local System, a service account that is used by the operating system.
S-1-5-19 NT Authority, Local Service
S-1-5-20 NT Authority, Network Service
S-1-5-domain-500 A user account for the system administrator. By default, it is the only user account that is given full control over the system.
S-1-5-domain-501 Guest user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.
S-1-5-domain-512 Domain Admins - a global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.
S-1-5-domain-513 Domain Users.
S-1-5-domain-514 Domain Guests - A global group that, by default, has only one member, the domain's built-in Guest account.

[edit] Duplicated SIDs

The problem with duplicated SIDs in a Workgroup of computers running Windows NT/2K/XP is only related to different user accounts having the same SID. This could lead to unexpected access to shared files or files stored on a removable storage: If some ACLs (Access control lists) are set on a file, the actual permissions can be associated with a user SID. If this user SID is duplicated on another computer (because the computer SID is duplicated and because the user SIDs are built based on the computer SID + a sequential number), a user of a second computer having the same SID could have access to the files that the user of a first computer has protected.

Now the truth is that when the computers are joined into a domain (Active Directory or NT domain for instance), each computer has a unique Domain SID which is recomputed each time a computer enters a domain. Thus there are usually no real problems with Duplicated SIDs when the computers are members of a domain, especially if local user accounts are not used. If local user accounts are used, there is a potential security issue that is the same as the one described above when the computers are members of a Workgroup but that affects only the files and resources protected by local users, not by domain users.

In other words, duplicated SIDs are usually not a problem with Microsoft Windows systems. However Microsoft does provide a utility to change a machine SID: NewSID - Microsoft TechNet

But other programs that detect SIDs might have problems with its security.

[edit] Machine SIDs

The machine SID is stored in the SECURITY registry hive located at SECURITY\SAM\Domains\Account, this key has two values F and V. The V value is a binary value that has the computer SID embedded within it at the end of its data (Last 96 bits).[2]

  • "NewSID ensures that this SID is in a standard NT 4.0 format (3 32-bit subauthorities preceded by three 32-bit authority fields). Next, NewSID generates a new random SID for the computer. NewSID's generation takes great pains to create a truly random 96-bit value, which replaces the 96-bits of the 3 subauthority values that make up a computer SID."
    • From NewSID readme.

[edit] Decoding Machine SID

The SID number is used in file, registry, service and users permissions. The machine SID is determined in hexidecimal form from here:

regedit.exe -> \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\V (last 12 bytes) explorer.exe -> \%windir%\system32\config\SAM If the SAM file is missing at startup, a backup is retrieved in hexidecimal form here: regedit.exe -> \HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAcDmS\@ (last 12 bytes) explorer.exe -> \%windir%\system32\config\SECURITY Sometimes the SID number is referenced in decimal form.

Security Accounts Manager,
1) Divide the bytes into 3 sections:
2E,43,AC,40  C0,85,38,5D  07,E5,3B,2B
2) Reverse the bytes of each section:
40,AC,43,2E  5D,38,85,C0  2B,3B,E5,07
3) Convert each section into decimal:
1085031214  1563985344  725345543
4) Add the machine SID prefix:

[edit] See also

[edit] References

[edit] External links

Personal tools