Security Identifier
From Wikipedia, the free encyclopedia
In the context of the Microsoft Windows NT line of operating systems, a Security Identifier (commonly abbreviated SID) is a unique name (an alphanumeric character string) which is assigned by a Windows Domain controller during the log on process that is used to identify an object, such as a user or a group of users in a network of NT/2000 systems.
Contents |
[edit] Overview
Windows grants or denies access and privileges to resources based on access control lists (ACLs), which use SIDs to uniquely identify users and their group memberships. When a user logs into a computer, an access token is generated that contains user and group SIDs and user privilege level. When a user requests access to a resource, the access token is checked by the ACL to permit or deny particular action on a particular object.
SIDs are useful for troubleshooting issues with security audits, Windows server and domain migrations.
SID has format as follows: S-1-5-12-7623811015-3361044348-030300820-1013
- S - The string is a SID.
- 1 - The revision level.
- 5 - The identifier authority value.
- 12-7623811015-3361044348-030300820 - domain or local computer identifier
- 1013 – a Relative ID (RID)
Any group or user that is not created by default will have a Relative ID of 1000 or greater.
[edit] Well-known security identifiers
A number of "well-known" security identifiers are defined by the operating system so as to ensure that specific system accounts can always be found. Microsoft maintains a complete list of these identifiers in a knowledge base article.[1]
| SID | Description |
|---|---|
| S-1-5-18 | Local System, a service account that is used by the operating system. |
| S-1-5-19 | NT Authority, Local Service |
| S-1-5-20 | NT Authority, Network Service |
| S-1-5-21-domain-500 | A user account for the system administrator. By default, it is the only user account that is given full control over the system. |
| S-1-5-21-domain-501 | Guest user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled. |
| S-1-5-21-domain-512 | Domain Admins - a global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group. |
| S-1-5-21-domain-514 | Domain Guests - A global group that, by default, has only one member, the domain's built-in Guest account. |
[edit] Duplicated SIDs
The problem with duplicated SIDs in a Workgroup of computers running Windows NT/2K/XP is only related to different user accounts having the same SID. This could lead to unexpected access to shared files or files stored on a removable storage: If some ACLs (Access control lists) are set on a file, the actual permissions can be associated with a user SID. If this user SID is duplicated on another computer (because the computer SID is duplicated and because the user SIDs are built based on the computer SID + a sequential number), a user of a second computer having the same SID could have access to the files that the user of a first computer has protected.
Now the truth is that when the computers are joined into a domain (Active Directory or NT domain for instance), each computer has a unique Domain SID which is recomputed each time a computer enters a domain. Thus there are usually no real problems with Duplicated SIDs when the computers are members of a domain, especially if local user accounts are not used. If local user accounts are used, there is a potential security issue that is the same as the one described above when the computers are members of a Workgroup but that affects only the files and resources protected by local users, not by domain users.
In other words, duplicated SIDs are usually not a problem with Microsoft Windows systems.
But other programs that detect SID might have problems with their security.
[edit] See also
- Access control
- Access Control Matrix
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Role-Based Access Control (RBAC)
- Capability-based security
- Disk_cloning#Post-cloning_operations Post Cloning Operations (http://en.wikipedia.org/wiki/Disk_cloning#Post-cloning_operations)
[edit] References
- ^ Well-known security identifiers in Windows operating systems (MSKB 243330). Knowledge Base. Microsoft (February 28, 2007). Retrieved on 2007-12-08.
