Security Identifier
In the context of the Microsoft Windows NT line of operating systems, a Security Identifier (SID) is a unique, immutable identifier of a user, user group, or other security principal. A security principal has a single SID for life (in a given domain), and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed (for example, from "Jane Smith" to "Jane Jones") without affecting the security attributes of objects that refer to the principal.
Overview
[edit]Windows grants or denies access and privileges to resources based on access control lists (ACLs), which use SIDs to uniquely identify users and their group memberships. When a user logs into a computer, an access token is generated that contains user and group SIDs and user privilege level. When a user requests access to a resource, the access token is checked against the ACL to permit or deny particular action on a particular object.
SIDs are useful for troubleshooting issues with security audits, Windows Server and domain migrations.
The format of a SID can be illustrated using the following example: "S-1-5-21-3623811015-3361044348-30300820-1013":
S | 1 | 5 | 21-3623811015-3361044348-30300820 | 1013 |
---|---|---|---|---|
The string is an SID. | The revision level (the version of the SID specification). | The identifier authority value. | The subauthority value. In this case, a domain (21) with a unique 96 bit identifier. There may be more than one subauthority to encode values larger than 32 bits like in this example | A Relative ID (RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater. |
Identifier Authority Values
[edit]Identifier Authority Value
[edit]Known identifier authority values are:[1][2]
Decimal | Name | Display Name | First Introduced | References | Notes |
---|---|---|---|---|---|
0 | Null Authority | e.g. "Nobody" (S-1-0-0) | |||
1 | World Authority | (not shown) | e.g. well known groups such as "Everyone". (S-1-1-0) | ||
2 | Local Authority | (not shown) | e.g. flag SIDs like "CONSOLE LOGON" | ||
3 | Creator Authority | ||||
4 | Non-unique Authority | ||||
5 | NT Authority | NT AUTHORITY\ | Managed by the NT security subsystem. There are many sub-authorities such as "BUILTIN" and every Active Directory Domain | ||
7 | Internet$ | Internet$\ | Windows 7 | ||
9 | Resource Manager Authority | Windows Server 2003 | [3][4] | ||
11 | Microsoft Account Authority | MicrosoftAccount\ | Windows 8 | [5] | |
12 | Azure Active Directory | AzureAD\ | Windows 10 | ||
15 | Capability SIDs | Windows 8
Windows Server 2012 |
[6][7][8] | All capability SIDs begin at S-1-15-3
By design, a capability SID does not resolve to a friendly name. The most commonly used capability SID is the following: S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 | |
16 | Mandatory Label\ | Windows Vista | Used as part of Mandatory Integrity Control | ||
18 | Asserted Identity |
Identifying a capability SID:
- If a user finds the SID in the registry data, then it is a capability SID. By design, it will not resolve into a friendly name.
- If the user does not find the SID in the registry data, then it is not a known capability SID. It can still be troubleshot as a normal unresolved SID. There is a small chance that the SID could be a third-party capability SID, in which case it will not resolve into a friendly name.
Per Microsoft Support:[7] Important - DO NOT DELETE capability SIDS from either the Registry or file system permissions. Removing a capability SID from file system permissions or registry permissions may cause a feature or application to function incorrectly. After you remove a capability SID, you cannot use the UI to add it back.
Decimal | Name | Display Name | First Introduced | References | Notes |
---|---|---|---|---|---|
18 | LocalSystem | LocalSystem | NT 3.x | Ex: S-1-5-18 is the well-known-sid for LocalSystem | |
19 | LocalService | Local Service | S-1-5-19 is the well-known SID for LocalService | ||
20 | NetworkService | Network Service | S-1-5-20 is the well-known SID for NetworkService | ||
21 | Domain | ||||
32 | Users | Windows 7 | Ex: S-1-5-32-568 is the group ID for IIS_IUSRS | ||
64 | Authentication | 10 - NTLM
14 - SChannel 21 - Digest | |||
80 | NT Service | NT SERVICE\ | Windows Vista | Can be "Virtual Account NT Service" such as for SQL Server installations
S-1-5-80-0 corresponds to "NT SERVICE\ALL SERVICES" | |
82 | IIS AppPool | AppPoolIdentity\ | Windows 7 | ||
83 | Virtual Machines | NT VIRTUAL MACHINE\ | Windows 7 | "NT Virtual Machine\{guid}" where {guid} is the GUID of the Hyper-V VM
S-1-5-83-0 is the group ID for "NT VIRTUAL MACHINE\Virtual Machines" | |
88 | NT NFS | ??? | Windows 2003 | Owner SID for UID <uid>: S-1-5-88-1-<uid>
Owner SID for GUID <gid>: S-1-5-88-2-<gid> File Mode: S-1-5-88-3-<mode> Everyone: S-1-5-88-4 | |
90 | Window Manager | Windows Manager Group (DWM) | Windows 7 | Window manager class | |
96 | Font Driver | Windows 7 | Font Driver Host\UMFD-1 |
Virtual Accounts are defined for a fixed set of class names, but the account name isn't defined. There are a nearly infinite number of accounts available within a Virtual Account. The names work like "Account Class\Account Name" so "AppPoolIdentity\Default App Pool". The SID is based on a SHA-1 hash of the lower-case name. Virtual Accounts can each be given permissions separately as each maps to a distinct SID. This prevents the "cross-sharing permissions" problem where each service is assigned to the same NT AUTHORITY class (such as "NT AUTHORITY\Network Service").
Machine SIDs
[edit]The machine SID (S-1-5-21) is stored in the SECURITY registry hive located at SECURITY\SAM\Domains\Account, this key has two values F and V. The V value is a binary value that has the computer SID embedded within it at the end of its data (last 96 bits).[11] (Some sources state that it is stored in the SAM hive instead.) A backup is located at SECURITY\Policy\PolAcDmS\@.
NewSID ensures that this SID is in a standard NT 4.0 format (3 32-bit subauthorities preceded by three 32-bit authority fields). Next, NewSID generates a new random SID for the computer. NewSID's generation takes great pains to create a truly random 96-bit value, which replaces the 96-bits of the 3 subauthority values that make up a computer SID.
— NewSID readme
The machine SID subauthority format is used for domain SIDs too. A machine is considered its own local domain in this case.
Decoding Machine SID
[edit]The machine SID is stored in a raw-bytes form in the registry. To convert it into the more common numeric form, one interprets it as three little endian 32-bit integers, converts them to decimal, and add hyphens between them.
Example | 2E,43,AC,40,C0,85,38,5D,07,E5,3B,2B |
---|---|
1) Divide the bytes into 3 sections: | 2E,43,AC,40 - C0,85,38,5D - 07,E5,3B,2B |
2) Reverse the order of bytes in each section: | 40,AC,43,2E - 5D,38,85,C0 - 2B,3B,E5,07 |
3) Convert each section into decimal: | 1085031214 - 1563985344 - 725345543 |
4) Add the machine SID prefix: | S-1-5-21-1085031214-1563985344-725345543 |
Other Uses
[edit]The machine SID is also used by some free-trial programs, such as Start8, to identify the computer so that it cannot restart the trial.[citation needed]
Service SIDs
[edit]Service SIDs are a feature of service isolation, a security feature introduced in Windows Vista and Windows Server 2008.[12] Any service with the "unrestricted" SID-type property will have a service-specific SID added to the access token of the service host process. The purpose of Service SIDs is to allow permissions for a single service to be managed without necessitating the creation of service accounts, an administrative overhead.
Each service SID is a local, machine-level SID generated from the service name using the following formula:
S-1-5-80-{SHA-1(service name in upper case encoded as UTF-16)}
The sc.exe
command can be used to generate an arbitrary service SID:
The service can also be referred to as NT SERVICE\<service_name> (e.g. "NT SERVICE\dnscache").
Duplicated SIDs
[edit]This article's tone or style may not reflect the encyclopedic tone used on Wikipedia. (April 2009) |
In a Workgroup of computers running Windows NT/2K/XP, it is possible for a user to have unexpected access to shared files or files stored on a removable storage. This can be prevented by setting access control lists on a susceptible file, such that the effective permissions are determined by the user SID. If this user SID is duplicated on another computer, a user of a second computer having the same SID could have access to the files that the user of a first computer has protected. This can often happen when machine SIDs are duplicated by a disk clone, common for pirate copies. The user SIDs are built based on the machine SID and a sequential relative ID.
When the computers are joined into a domain (Active Directory or NT domain for instance), each computer is provided a unique Domain SID which is recomputed each time a computer enters a domain. This SID is similar to the machine SID. As a result, there are typically no significant problems with duplicate SIDs when the computers are members of a domain, especially if local user accounts are not used. If local user accounts are used, there is a potential security issue similar to the one described above, but the issue is limited to the files and resources protected by local users, as opposed to by domain users.
Duplicated SIDs are usually not a problem with Microsoft Windows systems, although other programs that detect SIDs might have problems with its security.
Microsoft used to provide Mark Russinovich's "NewSID" utility as a part of Sysinternals to change a machine SID.[13] It was retired and removed from download on November 2, 2009. Russinovich's explanation is that neither him nor the Windows security team could think of any situation where duplicate SIDs could cause any problems at all, because machine SIDs are never responsible for gating any network access.[14]
At present, the only supported mechanism for duplicating disks for Windows operating systems is through use of SysPrep, which generates new SIDs.
See also
[edit]- Access control
- Access Control Matrix
- Discretionary Access Control (DAC)
- Globally Unique Identifier (GUID)
- Mandatory Access Control (MAC)
- Role-Based Access Control (RBAC)
- Capability-based security
- Post-cloning operations
References
[edit]- ^ "Well-known security identifiers in Windows operating systems". support.microsoft.com. Retrieved 12 December 2019.
- ^ openspecs-office. "[MS-DTYP]: Well-Known SID Structures". docs.microsoft.com. Retrieved 2020-09-03.
- ^ See "Custom Principals" section on https://msdn.microsoft.com/en-us/library/aa480244.aspx
- ^ "Larry Osterman's WebLog".
- ^ "Example impact of Microsoft Accounts on Windows APIs in Windows 8/8.1 – Windows SDK Support Team Blog". blogs.msdn.microsoft.com.
- ^ a b "Security identifiers". support.microsoft.com. 28 August 2021. Retrieved 2020-09-02.
- ^ a b "Some SIDs do not resolve into friendly names". support.microsoft.com. 24 September 2021. Retrieved 2020-09-02.
- ^ lastnameholiu. "Capability SID Constants (Winnt.h) - Win32 apps". docs.microsoft.com. Retrieved 2020-09-02.
- ^ "Accounts Everywhere: part 1, Virtual Accounts". 1E. 2017-11-24. Retrieved 2020-09-02.
- ^ "IIS AppPool Identity SIDs". winterdom. 2020-09-02.
- ^ "MS TechNet NewSID Utility - How It Works". Knowledge Base. Microsoft. November 1, 2006. Retrieved 2008-08-05.
- ^ "Windows Service Isolation Feature". Article. Windows IT Pro. June 6, 2012. Retrieved December 7, 2012.
- ^ "NewSID v4.10". Windows Sysinternals. Microsoft. 2006-11-01.
- ^ Russinovich, Mark (2009-11-03). "The Machine SID Duplication Myth". TechNet Blogs. Microsoft.
External links
[edit]- Official
- ObjectSID and Active Directory
- Microsoft TechNet: Server 2003: Security Identifiers Technical Reference
- MSKB154599: How to Associate a Username with a Security Identifier
- MSKB243330: Well-known security identifiers in Windows operating systems
- Support tools for Windows Server 2003 and Windows XP
- Security Identifiers - Windows Security docs
- Other