Monthly Archives: May 2011

SID – Windows Security Identifier; Working method, Overview, Usage and its Deployment methods

SID – Windows Security Identifier; Working method, Overview, Usage and its Deployment methods.

Windows uses Security Identifier to identify each object. Security Identifier consists of a string of alpha numerical values that has been assigned to the object at the same time of the object creation. In short the Security Identifier is called as “SID”. Every object for example computer account, Users, Operating system, Groups etc. are assigned with a unique Windows Security Identifier (SID).

Windows Access Control List (ACL) works with the Security Identifier to determine whether object can be allowed or denied to the particular action and thus this is a part of Windows authentication mechanism to authenticate the correct user, group or object to the allowed areas of the environment.

Windows Security Identifier (SID) Formats

"S-1-5-21-3623811015-3361044348-30300820-1013"

S

1

5

21-3623811015-3361044348-30300820

1013

The string is a SID.

The revision level (the version of the SID specification).

The identifier authority value.

domain or local computer identifier

A Relative ID (RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater.

Possible identifier authority values are:

0 – Null Authority

1 – World Authority

2 – Local Authority

3 – Creator Authority

4 – Non-unique Authority

5 – NT Authority

9 – Resource Manager Authority

Microsoft Predefined Windows Security Identifier (SID) Values

There are predefined set of Windows Security Identifier (SID) values that are used by Microsoft operating system to perform the functions. These SID are part of the operating systems and Windows environments and by knowing the SID values we can determine what actions they are performing.

SID

Description

S-1-1-0

Everyone.

S-1-5-14

Remote Interactive Logon.

S-1-5-18

Local System, a service account that is used by the operating system.

S-1-5-19

NT Authority, Local Service

S-1-5-20

NT Authority, Network Service

S-1-5-29

Network Service

S-1-5-domain-500

A user account for the system administrator. By default, it is the only user account that is given full control over the system.

S-1-5-domain-501

Guest user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.

S-1-5-domain-512

Domain Admins – a global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.

S-1-5-domain-513

Domain Users.

S-1-5-domain-514

Domain Guests – A global group that, by default, has only one member, the domain’s built-in Guest account.

S-1-6

Site Server Authority.

S-1-7

Internet Site Authority.

S-1-8

Exchange Authority.

S-1-9

Resource Manager Authority.

We can found some of these Security Identifier values in the system Registry. The values can be located under “HKEY_USERS” registry values.

clip_image002[4]

Duplicate SID’s

Talking about the virtual machines, normally the new system builds are completed from a virtual machine template or by cloning the existing virtual machines. Normal operating system will be very less compared to this activity.

In these scenarios there are possibilities that same SID’s of the source system is used by the deployed destination machine. This will create duplicate SID’s in the environment. If a user got a duplicate Windows Security Identifier (SID) of another user in the environment he or she can access all the resources used by the original user. This will result in a large vulnerability to the environment. This might happen in the local workgroup mode, but in the domain model of infrastructures each Windows Security Identifier (SID) is added with domain identifier and thus the SID will be unique. There might be a change for network communication failure in case the operating systems are having duplicate SID’s.

Examples of the errors:

clip_image003[4]

Window Event ID : 5516 refer to the duplicate SID error

clip_image004[4]

Applying New SID

During the system deployment process of a new operating system or server build we need to be sure that the system is having a unique Windows Security Identifier (SID). The process applying new SID should be included in the server builds. A unique Windows Security Identifier (SID) will be built into the fresh operating system installations, so that we need not want reapply the existing SID.

Microsoft recommended the use of “Sysprep” utility to reapply a new Windows Security Identifier (SID) to the Windows operating system. The tool will randomly generate a unique value depending on the system name etc. The Sysprep utility works well in Windows 2008, Window 7 and it also support other version of Windows operating systems.

The application is located inside “C:WindowsSystem32sysprepsysprep.exe” ; where C: drive the root folder of the operating system installation.

clip_image005[4]

clip_image007[4]

The Generalize option is only used if we are taking an image of the present operating system for future deployment of new systems.

· There is another GUI tool released by Microsoft “NewSID 4.10”and was previously available for download from the following LINK . The utility is well used in Windows XP as well as Windows 2003 versions operating systems. But the version is outdated and Microsoft withdrew the application. This utility cannot be used with Windows 2008 and Windows 7 operating systems, where we need to use the “Sysprep”.

I could see that the tool is available to download from another website LINK .

clip_image009[4]

In VMware if you are deploying a Window system from templates or if you are using VMware cloning methods, we can apply new Windows Security Identifier (SID) to the system from the VMware customization wizard. The wizards will help to change the system name and other parameters of the new operating system. The option to apply new Windows Security Identifier (SID) is available in the Customize window as shown below.

clip_image010[4]

clip_image012[4]

This is the best practice to apply new Windows Security Identifier (SID) for the new deployment of systems from VMware templates and VMware system clones. Once the system deployment is finished wait for a few minutes to get the SID applied. The system will get rebooted automatically.

There are third party tools available to apply the new Windows Security Identifier (SID for the systems. VMware and Microsoft do not encourage the users to use third party tools for the process applying new SID.

Few Points about SID integration in Active Directory

· Active Directory stores the account’s SID in the Object-SID (objectSID) property of a User or Group object.

· If the user account is transferred from one domain to another example: Melbin Mathew’s user account has been moved from TECCHIESUS to TECHIESINDIA domain. The user will be assigned with a new Windows Security Identifier (SID) apart from the one which was already assigned. The relative identifier portion of a SID is unique relative to the domain, so if the domain changes, the relative identifier also changes.

The new SID must be generated for the user account and stored in the Object-SID property. Before the new value is written to the property, the previous value is copied to another property of a User object, SID-History (sIDHistory). This property can hold multiple values.

Each time a User object moves to another domain, a new Windows Security Identifier (SID) is generated and stored in the Object-SID property and another value is added to the list of old SIDs in SID-History. When a user logs on and is successfully authenticated, the domain authentication service queries Active Directory for the all of the SIDs associated with the user—the user’s current SID, the user’s old SIDs, and the SIDs for the user’s groups. All of these SIDs are returned to the authentication client and are included in the user’s access token. When the user tries to gain access to a resource, any one of the SIDs in the access token, including one of the SIDs in SID-History, could allow or deny the user access.

To View the Security Identifier

There is tool release by Microsoft the view the Windows Security Identifier (SID) of the objects and is called “PSGETSID”. The tool is available to download from in the LINK . Copy the “PsGetSid” downloaded package onto your executable path, and type "psgetsid" from the Windows command prompt.

Syntax;

psgetsid [computer[,computer[,…] | @file] [-u username [-p password]]] [account|SID

clip_image014[4]

References : LINK, LINK

                                                          – Melbin Mathew

                                                        www.techiesweb.com

A SMALL OVERVIEW OF SYSTEM VIRTUAL MEMORY AND WINDOWS PAGING CONCEPTS

A SMALL OVERVIEW OF SYSTEM VIRTUAL MEMORY AND WINDOWS PAGING CONCEPTS

Computer performs and completes its operations with help of memory. There are two types of memory available in the physical system. They are,

· Random Access Memory (RAM ) – Main Memory

· Virtual Memory

Random Access Memory is the physical chip that is located in the hardware of the system that can act as a memory location. This is the part of Primary storage device of the system. The data cannot be permanently stored in chip. All data’s will be erased as soon the Physical system gets powered off. The memory can also be called as Main Memory.

Virtual Memory is a stimulation of physical RAM and is stored in the secondary storage of the system. Hard disk will act as a secondary storage for the system. This technology helps to extend additional memory capacity and work with RAM to load applications. The virtual memory will reduce the cost of expanding the capacity of physical RAM. The implementation of virtual memory will diff for operating systems, but the basic concept is same.

If an application opens it first load the data into the free address locations of the RAM (physical memory) and the processor communicates with the RAM to fetch the data for the further processing. As RAM is a physical memory location, the speed for the communication, storage function and its process are very fast compared to the virtual memory. The virtual memory works with the help of secondary storage device and its speed is low compared to the physical storage location (RAM).

Consider a scenario that a system is not configured with virtual memory and is only using the physical memory to complete its works. Such a configuration cannot handle multitasking or multiprocessors. If we open one application it will be loading into the available free space of the RAM and hence there will be no space available to load the second application. The second application needs to wait until the first applications to be closed free up the RAM space. By implementing additional RAM for the system will create room for the second application to occupy the RAM space, but is required additional cost. There will also be a limitation to install the physical RAM on the physical system.

To overcome the situation scientists developed the virtual memory method, where the less or not frequently used data from the RAM will be moved to the Hard disk virtual memory location and thus free space in RAM for the processing of the new data. If an application requires a data that is stored in the virtual memory, it is then transferred back to the RAM for the process. Paging is an important part of the virtual memory implementation that in most contemporary general-purpose operating systems, allowing them to use disk storage for data that does not fit into physical random-access memory (RAM).

An adequate amount Memory is needed for the smooth and reliable functioning of the Operating system. The RAM and virtual memory is added together to give the total memory size for the system. The applications that are requires heavy memory module for their functioning only see the total allocated memory size of the system.

The movement of data from RAM to virtual memory and vice versa is called ad thrashing. The data follow is taken care automatically by the operating system without manual intervention. This transfer of data will create slowness in the performance of the operating system. We can analysis the data transfer from the continuous blinking of Hard disk LED or we can understand it from the noise from the Hard disk head movement through the platter.

clip_image001

In Windows, virtual memory uses Paging.sys file to process its operations. By default the Pagefile is located in the root directory of the operating system. We can tweak the performance of the pagefile using the Windows Advanced virtual memory setup. This can be access from,

My Computer -> Properties -> Advanced -> Settings -> Performance Options -> Advanced -> Change

clip_image003

System Managed

Windows default configuration for the paging file size is to automatically expand its size, but it will consume more hard disk space in case if the application crashes, more utilization of virtual memory or due to memory leaks. This functionality also causes heavy fragmentation of the data that is written in the paging file, as it expands without limit. The result will be slowness in the performance of the operating system.

These settings also have an advantage that, the operating system can automatically increase the paging file when required without the interaction of the Administrators. This helps to reduce slowness of the system in time of heavy usages.

clip_image004

clip_image005

The System Managed size can be set by selecting the radio button to the System Managed Size tab. Thus system will take control of the paging file and thus increase or decreases its usage accordingly.

Custom Size

The custom settings will limit the growth of the paging file size. In normal condition to tweak the performance of the system and the usage of the hard disk space we use custom settings.

The recommend custom setting for the paging file configuration is to set the Initial size as 1.5 times larger of the total physical memory of the system and the Maximum size is 2.5 times larger of the total physical memory.

Locking of the paging file size will helps to make a control on the hard disk capacity. If the system primary partition is not having a sufficient amount of space, setting a limit is very useful.

clip_image006

No Paging File

This setting will not create a paging file in the system and thus virtual memory mechanism will not be functioning for the particular operating system.

The functionality can also be used to reconfigure the paging file from one disk drive to another eg: C drive to D drive.

clip_image007

Notes:

· We cannot leave the paging file configuration blank for the primary boot partition. The partition from where the Windows operating system boots because to create a memory dump file during the time of operating system crash a small amount of paging file to be configured in the primary partition. The crash report is first written into the paging file and on the first booting after the operating crash the recorded data is written into memory dump file “memory.dmp”.

· The paging file settings for an operating system is purely depends on the operating system, applications that running, the total amount of physical memory, mode of implementation etc.

· Defragmentations tools can be used to keep arrange of the fragmented paging file blocks in the hard disk and thus improve the system total performance. The tools such as PageDefrag are used for the defragmentation of the paging file.

· The data which are written in the paging file is in unencrypted format. There are tools available for encrypting the data that are writing on the paging file eg: TrueCrypt – Free Open-Source Disk Encryption tool.

· The paging file configurations can be located from the registry location (Start->Run->regedit), editing the values will change the present paging file configuration.

ComputerHKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSessionManagerMemory Management

clip_image008

· Paging file will be emptied at the time of normal reboot and all the written contents in the Pagefile (pagefile.sys) will be get cleared. If you need not want the pagefile to be cleared, we need to set that in the registry value “ClearPageFileAtShutdown”.

· The paging file settings cannot be applied soon as we set the configurations; it required a system reboot to implement the paging file settings.

                                                          – Melbin Mathew

                                                        www.techiesweb.com