Security Identifier
Encyclopedia
In the context of the Microsoft
Windows NT
line of operating system
s, a Security Identifier (commonly abbreviated SID) is a unique name (an alphanumeric
character string) which is assigned by a Windows Domain controller
during the log on process that is used to identify a subject, such as a user or a group of users in a network of NT/2000 systems.
s (ACLs), which use SIDs to uniquely identify users and their group memberships. When a user logs into a computer, an access token
is generated that contains user and group SIDs and user privilege level. When a user requests access to a resource, the access token is checked against the ACL to permit or deny particular action on a particular object.
SIDs are useful for troubleshooting issues with security audits, Windows server and domain migrations.
The format of an SID can be illustrated using the following example: "S-1-5-21-3623811015-3361044348-30300820-1013";
Possible identifier authority values are:
s are set on a file, the actual permissions can be associated with a user SID. If this user SID is duplicated on another computer (because the computer SID is duplicated and because the user SIDs are built based on the computer SID + a sequential number), a user of a second computer having the same SID could have access to the files that the user of a first computer has protected.
Now the truth is that when the computers are joined into a domain (Active Directory or NT domain for instance), each computer has a unique Domain SID which is recomputed each time a computer enters a domain. Thus there are usually no real problems with Duplicated SIDs when the computers are members of a domain, especially if local user accounts are not used. If local user accounts are used, there is a potential security issue that is the same as the one described above when the computers are members of a Workgroup but that affects only the files and resources protected by local users, not by domain users.
In other words, duplicated SIDs are usually not a problem with Microsoft Windows systems. However Microsoft does provide the '"NewSID" utility to change a machine SID.
But other programs that detect SIDs might have problems with its security.
After NewSID's retirement, Microsoft engineer Mark Russinovich
posted an article on his blog explaining the retirement of the NewSID stating that neither he nor the Windows security team could think of any situation where duplicate SIDs could cause any problems at all, against commonly accepted wisdom.
On November 1, 2009, Microsoft added the following to the NewSID download page:
At present, the only supported mechanism for duplicating disks for Windows operating systems is through use of SysPrep
.
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
Windows NT
Windows NT
Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement...
line of operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s, a Security Identifier (commonly abbreviated SID) is a unique name (an alphanumeric
Alphanumeric
Alphanumeric is a combination of alphabetic and numeric characters, and is used to describe the collection of Latin letters and Arabic digits or a text constructed from this collection. There are either 36 or 62 alphanumeric characters. The alphanumeric character set consists of the numbers 0 to...
character string) which is assigned by a Windows Domain controller
Domain controller
On Windows Server Systems, a domain controller is a server that responds to security authentication requests within the Windows Server domain...
during the log on process that is used to identify a subject, such as a user or a group of users in a network of NT/2000 systems.
Overview
Windows grants or denies access and privileges to resources based on access control listAccess control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
s (ACLs), which use SIDs to uniquely identify users and their group memberships. When a user logs into a computer, an access token
Access token
In Microsoft Windows operating systems, an access token contains the security information for a login session and identifies the user, the user's groups, and the user's privileges.-Overview:...
is generated that contains user and group SIDs and user privilege level. When a user requests access to a resource, the access token is checked against the ACL to permit or deny particular action on a particular object.
SIDs are useful for troubleshooting issues with security audits, Windows server and domain migrations.
The format of an SID can be illustrated using the following example: "S-1-5-21-3623811015-3361044348-30300820-1013";
S | 1 | 5 | 21-3623811015-3361044348-30300820 | 1013 |
---|---|---|---|---|
The string is a SID. | The revision level (the version of the SID specification). | The identifier authority value. | domain or local computer identifier | a Relative ID Relative ID In the context of the Microsoft Windows NT line of computer operating systems, the relative identifier is the part of a Security Identifier that uniquely identifies an account or group within a domain. The Relative ID Master allocates security RIDs to DCs to assign to new AD security principals... (RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater. |
Possible identifier authority values are:
- 0 - Null Authority
- 1 - World Authority
- 2 - Local Authority
- 3 - Creator Authority
- 4 - Non-unique Authority
- 5 - NT Authority
- 9 - Resource Manager Authority
Well-known security identifiers
A number of "well-known" security identifiers are defined by the operating system so as to ensure that specific system accounts can always be found. Microsoft maintains a complete list of these identifiers in a knowledge base article.SID | Description |
---|---|
Everyone. | |
Remote Interactive Logon. | |
Local System, a service account that is used by the operating system. | |
NT Authority, Local Service | |
NT Authority, Network Service | |
Network Service | |
A user account for the system administrator. By default, it is the only user account that is given full control over the system. | |
Guest user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled. | |
Domain Admins - a global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group. | |
Domain Users. | |
Domain Guests - A global group that, by default, has only one member, the domain's built-in Guest account. | |
Site Server Authority. | |
Internet Site Authority. | |
Exchange Authority. | |
Resource Manager Authority. |
Duplicated SIDs
The problem with duplicated SIDs in a Workgroup of computers running Windows NT/2K/XP is only related to different user accounts having the same SID. This could lead to unexpected access to shared files or files stored on a removable storage: If some access control listAccess control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
s are set on a file, the actual permissions can be associated with a user SID. If this user SID is duplicated on another computer (because the computer SID is duplicated and because the user SIDs are built based on the computer SID + a sequential number), a user of a second computer having the same SID could have access to the files that the user of a first computer has protected.
Now the truth is that when the computers are joined into a domain (Active Directory or NT domain for instance), each computer has a unique Domain SID which is recomputed each time a computer enters a domain. Thus there are usually no real problems with Duplicated SIDs when the computers are members of a domain, especially if local user accounts are not used. If local user accounts are used, there is a potential security issue that is the same as the one described above when the computers are members of a Workgroup but that affects only the files and resources protected by local users, not by domain users.
In other words, duplicated SIDs are usually not a problem with Microsoft Windows systems. However Microsoft does provide the '"NewSID" utility to change a machine SID.
But other programs that detect SIDs might have problems with its security.
After NewSID's retirement, Microsoft engineer Mark Russinovich
Mark Russinovich
Mark E. Russinovich is a Technical Fellow in the Platform and Services Division at Microsoft. He was a cofounder of software producers Winternals before it was acquired by Microsoft in 2006.-Early life and education:...
posted an article on his blog explaining the retirement of the NewSID stating that neither he nor the Windows security team could think of any situation where duplicate SIDs could cause any problems at all, against commonly accepted wisdom.
On November 1, 2009, Microsoft added the following to the NewSID download page:
At present, the only supported mechanism for duplicating disks for Windows operating systems is through use of SysPrep
Sysprep
Sysprep is the name of Microsoft's System Preparation Utility for Microsoft Windows operating system deployment.- History :Sysprep was originally introduced for use with Windows NT 4.0. Later versions introduced for Windows 2000 and Windows XP are available for download from Microsoft and included...
.
Machine SIDs
The machine SID is stored in the SECURITY registry hive located at SECURITY\SAM\Domains\Account, this key has two values F and V. The V value is a binary value that has the computer SID embedded within it at the end of its data (last 96 bits).- "NewSID ensures that this SID is in a standard NT 4.0 format (3 32-bit subauthorities preceded by three 32-bit authority fields). Next, NewSID generates a new random SID for the computer. NewSID's generation takes great pains to create a truly random 96-bit value, which replaces the 96-bits of the 3 subauthority values that make up a computer SID."
- From NewSID readme.
Decoding Machine SID
Example | |
---|---|
1) Divide the bytes into 3 sections: | |
2) Reverse the order of bytes in each section: | |
3) Convert each section into decimal: | |
4) Add the machine SID prefix: |
See also
- Access controlAccess controlAccess control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
- Access Control MatrixAccess Control MatrixIn computer science, an Access Control Matrix or Access Matrix is an abstract, formal security model of protection state in computer systems, that characterizes the rights of each subject with respect to every object in the system. It was first introduced by Butler W...
- Discretionary Access ControlDiscretionary access controlIn computer security, discretionary access control is a kind of access control defined by the Trusted Computer System Evaluation Criteria "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong...
(DAC) - Globally Unique IdentifierGlobally Unique IdentifierA globally unique identifier is a unique reference number used as an identifier in computer software. The term GUID also is used for Microsoft's implementation of the Universally unique identifier standard....
(GUID) - Mandatory Access ControlMandatory access controlIn computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...
(MAC) - Role-Based Access ControlRole-Based Access ControlIn computer systems security, role-based access control is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can be implemented via mandatory access control or discretionary access control...
(RBAC) - Capability-based securityCapability-based securityCapability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights...
- Post-cloning operations
External links
- How to Associate a Username with a Security Identifier
- NewSID - How to change SID on cloned system
- Why Understanding SIDs is Important
- Support tools for Windows Server 2003 and Windows XP
- Well known SIDs
- Microsoft Security Descriptor (SID) Attributes : Tutorial Article about SID handling / converting in scripts