SID – Windows Security Identifier; Working method, Overview, Usage and its Deployment methods

By | May 29, 2011

SID – Windows Security Identifier; Working method, Overview, Usage and its Deployment methods.

Windows uses Security Identifier to identify each object. Security Identifier consists of a string of alpha numerical values that has been assigned to the object at the same time of the object creation. In short the Security Identifier is called as “SID”. Every object for example computer account, Users, Operating system, Groups etc. are assigned with a unique Windows Security Identifier (SID).

Windows Access Control List (ACL) works with the Security Identifier to determine whether object can be allowed or denied to the particular action and thus this is a part of Windows authentication mechanism to authenticate the correct user, group or object to the allowed areas of the environment.

Windows Security Identifier (SID) Formats

"S-1-5-21-3623811015-3361044348-30300820-1013"

S

1

5

21-3623811015-3361044348-30300820

1013

The string is a SID.

The revision level (the version of the SID specification).

The identifier authority value.

domain or local computer identifier

A Relative ID (RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater.

Possible identifier authority values are:

0 – Null Authority

1 – World Authority

2 – Local Authority

3 – Creator Authority

4 – Non-unique Authority

5 – NT Authority

9 – Resource Manager Authority

Microsoft Predefined Windows Security Identifier (SID) Values

There are predefined set of Windows Security Identifier (SID) values that are used by Microsoft operating system to perform the functions. These SID are part of the operating systems and Windows environments and by knowing the SID values we can determine what actions they are performing.

SID

Description

S-1-1-0

Everyone.

S-1-5-14

Remote Interactive Logon.

S-1-5-18

Local System, a service account that is used by the operating system.

S-1-5-19

NT Authority, Local Service

S-1-5-20

NT Authority, Network Service

S-1-5-29

Network Service

S-1-5-domain-500

A user account for the system administrator. By default, it is the only user account that is given full control over the system.

S-1-5-domain-501

Guest user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.

S-1-5-domain-512

Domain Admins – a global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.

S-1-5-domain-513

Domain Users.

S-1-5-domain-514

Domain Guests – A global group that, by default, has only one member, the domain’s built-in Guest account.

S-1-6

Site Server Authority.

S-1-7

Internet Site Authority.

S-1-8

Exchange Authority.

S-1-9

Resource Manager Authority.

We can found some of these Security Identifier values in the system Registry. The values can be located under “HKEY_USERS” registry values.

clip_image002[4]

Duplicate SID’s

Talking about the virtual machines, normally the new system builds are completed from a virtual machine template or by cloning the existing virtual machines. Normal operating system will be very less compared to this activity.

In these scenarios there are possibilities that same SID’s of the source system is used by the deployed destination machine. This will create duplicate SID’s in the environment. If a user got a duplicate Windows Security Identifier (SID) of another user in the environment he or she can access all the resources used by the original user. This will result in a large vulnerability to the environment. This might happen in the local workgroup mode, but in the domain model of infrastructures each Windows Security Identifier (SID) is added with domain identifier and thus the SID will be unique. There might be a change for network communication failure in case the operating systems are having duplicate SID’s.

Examples of the errors:

clip_image003[4]

Window Event ID : 5516 refer to the duplicate SID error

clip_image004[4]

Applying New SID

During the system deployment process of a new operating system or server build we need to be sure that the system is having a unique Windows Security Identifier (SID). The process applying new SID should be included in the server builds. A unique Windows Security Identifier (SID) will be built into the fresh operating system installations, so that we need not want reapply the existing SID.

Microsoft recommended the use of “Sysprep” utility to reapply a new Windows Security Identifier (SID) to the Windows operating system. The tool will randomly generate a unique value depending on the system name etc. The Sysprep utility works well in Windows 2008, Window 7 and it also support other version of Windows operating systems.

The application is located inside “C:WindowsSystem32sysprepsysprep.exe” ; where C: drive the root folder of the operating system installation.

clip_image005[4]

clip_image007[4]

The Generalize option is only used if we are taking an image of the present operating system for future deployment of new systems.

· There is another GUI tool released by Microsoft “NewSID 4.10”and was previously available for download from the following LINK . The utility is well used in Windows XP as well as Windows 2003 versions operating systems. But the version is outdated and Microsoft withdrew the application. This utility cannot be used with Windows 2008 and Windows 7 operating systems, where we need to use the “Sysprep”.

I could see that the tool is available to download from another website LINK .

clip_image009[4]

In VMware if you are deploying a Window system from templates or if you are using VMware cloning methods, we can apply new Windows Security Identifier (SID) to the system from the VMware customization wizard. The wizards will help to change the system name and other parameters of the new operating system. The option to apply new Windows Security Identifier (SID) is available in the Customize window as shown below.

clip_image010[4]

clip_image012[4]

This is the best practice to apply new Windows Security Identifier (SID) for the new deployment of systems from VMware templates and VMware system clones. Once the system deployment is finished wait for a few minutes to get the SID applied. The system will get rebooted automatically.

There are third party tools available to apply the new Windows Security Identifier (SID for the systems. VMware and Microsoft do not encourage the users to use third party tools for the process applying new SID.

Few Points about SID integration in Active Directory

· Active Directory stores the account’s SID in the Object-SID (objectSID) property of a User or Group object.

· If the user account is transferred from one domain to another example: Melbin Mathew’s user account has been moved from TECCHIESUS to TECHIESINDIA domain. The user will be assigned with a new Windows Security Identifier (SID) apart from the one which was already assigned. The relative identifier portion of a SID is unique relative to the domain, so if the domain changes, the relative identifier also changes.

The new SID must be generated for the user account and stored in the Object-SID property. Before the new value is written to the property, the previous value is copied to another property of a User object, SID-History (sIDHistory). This property can hold multiple values.

Each time a User object moves to another domain, a new Windows Security Identifier (SID) is generated and stored in the Object-SID property and another value is added to the list of old SIDs in SID-History. When a user logs on and is successfully authenticated, the domain authentication service queries Active Directory for the all of the SIDs associated with the user—the user’s current SID, the user’s old SIDs, and the SIDs for the user’s groups. All of these SIDs are returned to the authentication client and are included in the user’s access token. When the user tries to gain access to a resource, any one of the SIDs in the access token, including one of the SIDs in SID-History, could allow or deny the user access.

To View the Security Identifier

There is tool release by Microsoft the view the Windows Security Identifier (SID) of the objects and is called “PSGETSID”. The tool is available to download from in the LINK . Copy the “PsGetSid” downloaded package onto your executable path, and type "psgetsid" from the Windows command prompt.

Syntax;

psgetsid [computer[,computer[,…] | @file] [-u username [-p password]]] [account|SID

clip_image014[4]

References : LINK, LINK

                                                          – Melbin Mathew

                                                        www.techiesweb.com

Melbin Mathew

I am Melbin Mathew, Systems Engineer from Kerala, India. I live with my parents, daughter and my wonderful wife. I graduated in 2004 with a bachelor’s degree in Electronics and Hardware from Mahatma Gandhi University, Kottayam and completed certification in MCITP, RHCE, CCNA, VCP ...Read More
Category: Virtualization

About Melbin Mathew

I am Melbin Mathew, Systems Engineer from Kerala, India. I live with my parents, daughter and my wonderful wife. I graduated in 2004 with a bachelor’s degree in Electronics and Hardware from Mahatma Gandhi University, Kottayam and completed certification in MCITP, RHCE, CCNA, VCP ...Read More