fbpx
Wikipedia

Security Identifier

December 15, 2023

In the context of the Microsoft Windows NT line of operating systems, a Security Identifier (SID) is a unique, immutable identifier of a user, user group, or other security principal. A security principal has a single SID for life (in a given domain), and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed (for example, from "Jane Smith" to "Jane Jones") without affecting the security attributes of objects that refer to the principal.

Overview edit

Windows grants or denies access and privileges to resources based on access control lists (ACLs), which use SIDs to uniquely identify users and their group memberships. When a user logs into a computer, an access token is generated that contains user and group SIDs and user privilege level. When a user requests access to a resource, the access token is checked against the ACL to permit or deny particular action on a particular object.

SIDs are useful for troubleshooting issues with security audits, Windows server and domain migrations.

The format of a SID can be illustrated using the following example: "S-1-5-21-3623811015-3361044348-30300820-1013":

S 1 5 21-3623811015-3361044348-30300820 1013
The string is an SID. The revision level (the version of the SID specification). The identifier authority value. The subauthority value. In this case, a domain (21) with a unique 96 bit identifier. There may be more than one subauthority to encode values larger than 32 bits like in this example A Relative ID (RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater.

Identifier Authority Values edit

Identifier Authority Value edit

Known identifier authority values are:[1][2]

Decimal Name Display Name First Introduced References Notes
0 Null Authority e.g. "Nobody" (S-1-0-0)
1 World Authority (not shown) e.g. well known groups such as "Everyone". (S-1-1-0)
2 Local Authority (not shown) e.g. flag SIDs like "CONSOLE LOGON"
3 Creator Authority
4 Non-unique Authority
5 NT Authority NT AUTHORITY\ Managed by the NT security subsystem. There are many sub-authorities such as "BUILTIN" and every Active Directory Domain
7 Internet$ Internet$\ Windows 7
9 Resource Manager Authority Windows Server 2003 [3][4]
11 Microsoft Account Authority MicrosoftAccount\ Windows 8 [5]
12 Azure Active Directory AzureAD\ Windows 10
15 Capability SIDs Windows 8

Windows Server 2012

[6][7][8] All capability SIDs begin at S-1-15-3

By design, a capability SID does not resolve to a friendly name.

The most commonly used capability SID is the following:

S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681

16 Mandatory Label\ Windows Vista Used as part of Mandatory Integrity Control
18 Asserted Identity

Identifying a capability SID:

  • If a user finds the SID in the registry data, then it is a capability SID. By design, it will not resolve into a friendly name.
  • If the user does not find the SID in the registry data, then it is not a known capability SID. It can still be troubleshooted as a normal unresolved SID. There is a small chance that the SID could be a third-party capability SID, in which case it will not resolve into a friendly name.

Per Microsoft Support:[7] Important - DO NOT DELETE capability SIDS from either the Registry or file system permissions. Removing a capability SID from file system permissions or registry permissions may cause a feature or application to function incorrectly. After you remove a capability SID, you cannot use the UI to add it back.

S-1-5 Subauthority Values[6][9][10] edit

Decimal Name Display Name First Introduced References Notes
18 LocalSystem LocalSystem NT 3.x Ex: S-1-5-18 is the well-known-sid for LocalSystem
19 LocalService Local Service S-1-5-19 is the well-known SID for LocalService
20 NetworkService Network Service S-1-5-20 is the well-known SID for NetworkService
21 Domain
32 Users Windows 7 Ex: S-1-5-32-568 is the group ID for IIS_IUSRS
64 Authentication 10 - NTLM

14 - SChannel

21 - Digest

80 NT Service NT SERVICE\ Windows Vista Can be "Virtual Account NT Service" such as for SQL Server installations

S-1-5-80-0 corresponds to "NT SERVICE\ALL SERVICES"

82 IIS AppPool AppPoolIdentity\ Windows 7
83 Virtual Machines NT VIRTUAL MACHINE\ Windows 7 "NT Virtual Machine\{guid}" where {guid} is the GUID of the Hyper-V VM

S-1-5-83-0 is the group ID for "NT VIRTUAL MACHINE\Virtual Machines"

90 Window Manager Windows Manager Group (DWM) Windows 7 Window manager class
96 Font Driver Windows 7 Font Driver Host\UMFD-1

Virtual Accounts are defined for a fixed set of class names, but the account name isn't defined. There are a nearly infinite number of accounts available within a Virtual Account. The names work like "Account Class\Account Name" so "AppPoolIdentity\Default App Pool". The SID is based on a SHA-1 hash of the lower-case name. Virtual Accounts can each be given permissions separately as each maps to a distinct SID. This prevents the "cross-sharing permissions" problem where each service is assigned to the same NT AUTHORITY class (such as "NT AUTHORITY\Network Service").

Machine SIDs edit

The machine SID (S-1-5-21) is stored in the SECURITY registry hive located at SECURITY\SAM\Domains\Account, this key has two values F and V. The V value is a binary value that has the computer SID embedded within it at the end of its data (last 96 bits).[11] (Some sources state that it is stored in the SAM hive instead.) A backup is located at SECURITY\Policy\PolAcDmS\@.

NewSID ensures that this SID is in a standard NT 4.0 format (3 32-bit subauthorities preceded by three 32-bit authority fields). Next, NewSID generates a new random SID for the computer. NewSID's generation takes great pains to create a truly random 96-bit value, which replaces the 96-bits of the 3 subauthority values that make up a computer SID.

— NewSID readme

The machine SID subauthority format is used for domain SIDs too. A machine is considered its own local domain in this case.

Decoding Machine SID edit

The machine SID is stored in a raw-bytes form in the registry. To convert it into the more common numeric form, one interprets it as three little endian 32-bit integers, converts them to decimal, and add hyphens between them.

Example 
2E,43,AC,40,C0,85,38,5D,07,E5,3B,2B
1) Divide the bytes into 3 sections: 
2E,43,AC,40 - C0,85,38,5D - 07,E5,3B,2B
2) Reverse the order of bytes in each section: 
40,AC,43,2E - 5D,38,85,C0 - 2B,3B,E5,07
3) Convert each section into decimal: 
1085031214 - 1563985344 - 725345543
4) Add the machine SID prefix: 
S-1-5-21-1085031214-1563985344-725345543

Other Uses edit

The machine SID is also used by some free-trial programs, such as Start8, to identify the computer so that it cannot restart the trial.[citation needed]

Service SIDs edit

Service SIDs are a feature of service isolation, a security feature introduced in Windows Vista and Windows Server 2008.[12] Any service with the "unrestricted" SID-type property will have a service-specific SID added to the access token of the service host process. The purpose of Service SIDs is to allow permissions for a single service to be managed without necessitating the creation of service accounts, an administrative overhead.

Each service SID is a local, machine-level SID generated from the service name using the following formula:

S-1-5-80-{SHA-1(service name in upper case encoded as UTF-16)}

The sc.exe command can be used to generate an arbitrary service SID:

The service can also be referred to as NT SERVICE\<service_name> (e.g. "NT SERVICE\dnscache").

Duplicated SIDs edit

In a Workgroup of computers running Windows NT/2K/XP, it is possible for a user to have unexpected access to shared files or files stored on a removable storage. This can be prevented by setting access control lists on a susceptible file, such that the effective permissions is determined by the user SID. If this user SID is duplicated on another computer, a user of a second computer having the same SID could have access to the files that the user of a first computer has protected. This can often happen when machine SIDs are duplicated by a disk clone, common for pirate copies. The user SIDs are built based on the machine SID and a sequential relative ID.

When the computers are joined into a domain (Active Directory or NT domain for instance), each computer is provided a unique Domain SID which is recomputed each time a computer enters a domain. This SID is similar to the machine SID. As a result, there are typically no significant problems with duplicate SIDs when the computers are members of a domain, especially if local user accounts are not used. If local user accounts are used, there is a potential security issue similar to the one described above, but the issue is limited to the files and resources protected by local users, as opposed to by domain users.

Duplicated SIDs are usually not a problem with Microsoft Windows systems, although other programs that detect SIDs might have problems with its security.

Microsoft used to provide Mark Russinovich's "NewSID" utility as a part of Sysinternals to change a machine SID.[13] It was retired and removed from download on November 2, 2009. Russinovich's explanation is that neither him nor the Windows security team could think of any situation where duplicate SIDs could cause any problems at all, because machine SIDs are never responsible for gating any network access.[14]

At present, the only supported mechanism for duplicating disks for Windows operating systems is through use of SysPrep, which generates new SIDs.

See also edit

References edit

  1. ^ "Well-known security identifiers in Windows operating systems". support.microsoft.com. Retrieved 12 December 2019.
  2. ^ openspecs-office. "[MS-DTYP]: Well-Known SID Structures". docs.microsoft.com. Retrieved 2020-09-03.
  3. ^ See "Custom Principals" section on https://msdn.microsoft.com/en-us/library/aa480244.aspx
  4. ^ "Larry Osterman's WebLog".
  5. ^ "Example impact of Microsoft Accounts on Windows APIs in Windows 8/8.1 – Windows SDK Support Team Blog". blogs.msdn.microsoft.com.
  6. ^ a b "Security identifiers". support.microsoft.com. 28 August 2021. Retrieved 2020-09-02.
  7. ^ a b "Some SIDs do not resolve into friendly names". support.microsoft.com. 24 September 2021. Retrieved 2020-09-02.
  8. ^ lastnameholiu. "Capability SID Constants (Winnt.h) - Win32 apps". docs.microsoft.com. Retrieved 2020-09-02.
  9. ^ "Accounts Everywhere: part 1, Virtual Accounts". 1E. 2017-11-24. Retrieved 2020-09-02.
  10. ^ "IIS AppPool Identity SIDs". winterdom. 2020-09-02.
  11. ^ "MS TechNet NewSID Utility - How It Works". Knowledge Base. Microsoft. November 1, 2006. Retrieved 2008-08-05.
  12. ^ "Windows Service Isolation Feature". Article. Windows IT Pro. June 6, 2012. Retrieved December 7, 2012.
  13. ^ "NewSID v4.10". Windows Sysinternals. Microsoft. 2006-11-01.
  14. ^ Russinovich, Mark (2009-11-03). "The Machine SID Duplication Myth". TechNet Blogs. Microsoft.

External links edit

  • Official
    • ObjectSID and Active Directory
    • Microsoft TechNet: Server 2003: Security Identifiers Technical Reference
    • MSKB154599: How to Associate a Username with a Security Identifier
    • MSKB243330: Well-known security identifiers in Windows operating systems
    • Support tools for Windows Server 2003 and Windows XP
    • Security Identifiers - Windows Security docs
  • Other
    • Why Understanding SIDs is Important
    • Microsoft Security Descriptor (SID) Attributes : Tutorial Article about SID handling / converting in scripts

December 15, 2023
security, identifier, context, microsoft, windows, line, operating, systems, unique, immutable, identifier, user, user, group, other, security, principal, security, principal, single, life, given, domain, properties, principal, including, name, associated, wit. In the context of the Microsoft Windows NT line of operating systems a Security Identifier SID is a unique immutable identifier of a user user group or other security principal A security principal has a single SID for life in a given domain and all properties of the principal including its name are associated with the SID This design allows a principal to be renamed for example from Jane Smith to Jane Jones without affecting the security attributes of objects that refer to the principal Contents 1 Overview 2 Identifier Authority Values 2 1 Identifier Authority Value 2 2 S 1 5 Subauthority Values 6 9 10 3 Machine SIDs 3 1 Decoding Machine SID 3 2 Other Uses 4 Service SIDs 5 Duplicated SIDs 6 See also 7 References 8 External linksOverview editWindows grants or denies access and privileges to resources based on access control lists ACLs which use SIDs to uniquely identify users and their group memberships When a user logs into a computer an access token is generated that contains user and group SIDs and user privilege level When a user requests access to a resource the access token is checked against the ACL to permit or deny particular action on a particular object SIDs are useful for troubleshooting issues with security audits Windows server and domain migrations The format of a SID can be illustrated using the following example S 1 5 21 3623811015 3361044348 30300820 1013 S 1 5 21 3623811015 3361044348 30300820 1013The string is an SID The revision level the version of the SID specification The identifier authority value The subauthority value In this case a domain 21 with a unique 96 bit identifier There may be more than one subauthority to encode values larger than 32 bits like in this example A Relative ID RID Any group or user that is not created by default will have a Relative ID of 1000 or greater Identifier Authority Values editThis list is incomplete you can help by adding missing items May 2016 Identifier Authority Value edit Known identifier authority values are 1 2 Decimal Name Display Name First Introduced References Notes0 Null Authority e g Nobody S 1 0 0 1 World Authority not shown e g well known groups such as Everyone S 1 1 0 2 Local Authority not shown e g flag SIDs like CONSOLE LOGON 3 Creator Authority4 Non unique Authority5 NT Authority NT AUTHORITY Managed by the NT security subsystem There are many sub authorities such as BUILTIN and every Active Directory Domain7 Internet Internet Windows 79 Resource Manager Authority Windows Server 2003 3 4 11 Microsoft Account Authority MicrosoftAccount Windows 8 5 12 Azure Active Directory AzureAD Windows 1015 Capability SIDs Windows 8 Windows Server 2012 6 7 8 All capability SIDs begin at S 1 15 3 By design a capability SID does not resolve to a friendly name The most commonly used capability SID is the following S 1 15 3 1024 1065365936 1281604716 3511738428 1654721687 432734479 3232135806 4053264122 345693468116 Mandatory Label Windows Vista Used as part of Mandatory Integrity Control18 Asserted IdentityIdentifying a capability SID If a user finds the SID in the registry data then it is a capability SID By design it will not resolve into a friendly name If the user does not find the SID in the registry data then it is not a known capability SID It can still be troubleshooted as a normal unresolved SID There is a small chance that the SID could be a third party capability SID in which case it will not resolve into a friendly name Per Microsoft Support 7 Important DO NOT DELETE capability SIDS from either the Registry or file system permissions Removing a capability SID from file system permissions or registry permissions may cause a feature or application to function incorrectly After you remove a capability SID you cannot use the UI to add it back S 1 5 Subauthority Values 6 9 10 edit Decimal Name Display Name First Introduced References Notes18 LocalSystem LocalSystem NT 3 x Ex S 1 5 18 is the well known sid for LocalSystem19 LocalService Local Service S 1 5 19 is the well known SID for LocalService20 NetworkService Network Service S 1 5 20 is the well known SID for NetworkService21 Domain32 Users Windows 7 Ex S 1 5 32 568 is the group ID for IIS IUSRS64 Authentication 10 NTLM 14 SChannel21 Digest80 NT Service NT SERVICE Windows Vista Can be Virtual Account NT Service such as for SQL Server installations S 1 5 80 0 corresponds to NT SERVICE ALL SERVICES 82 IIS AppPool AppPoolIdentity Windows 783 Virtual Machines NT VIRTUAL MACHINE Windows 7 NT Virtual Machine guid where guid is the GUID of the Hyper V VM S 1 5 83 0 is the group ID for NT VIRTUAL MACHINE Virtual Machines 90 Window Manager Windows Manager Group DWM Windows 7 Window manager class96 Font Driver Windows 7 Font Driver Host UMFD 1Virtual Accounts are defined for a fixed set of class names but the account name isn t defined There are a nearly infinite number of accounts available within a Virtual Account The names work like Account Class Account Name so AppPoolIdentity Default App Pool The SID is based on a SHA 1 hash of the lower case name Virtual Accounts can each be given permissions separately as each maps to a distinct SID This prevents the cross sharing permissions problem where each service is assigned to the same NT AUTHORITY class such as NT AUTHORITY Network Service Machine SIDs editThe machine SID S 1 5 21 is stored in the SECURITY registry hive located at SECURITY SAM Domains Account this key has two values F and V The V value is a binary value that has the computer SID embedded within it at the end of its data last 96 bits 11 Some sources state that it is stored in the SAM hive instead A backup is located at SECURITY Policy PolAcDmS NewSID ensures that this SID is in a standard NT 4 0 format 3 32 bit subauthorities preceded by three 32 bit authority fields Next NewSID generates a new random SID for the computer NewSID s generation takes great pains to create a truly random 96 bit value which replaces the 96 bits of the 3 subauthority values that make up a computer SID NewSID readme The machine SID subauthority format is used for domain SIDs too A machine is considered its own local domain in this case Decoding Machine SID edit The machine SID is stored in a raw bytes form in the registry To convert it into the more common numeric form one interprets it as three little endian 32 bit integers converts them to decimal and add hyphens between them Example 2E 43 AC 40 C0 85 38 5D 07 E5 3B 2B1 Divide the bytes into 3 sections 2E 43 AC 40 C0 85 38 5D 07 E5 3B 2B2 Reverse the order of bytes in each section 40 AC 43 2E 5D 38 85 C0 2B 3B E5 073 Convert each section into decimal 1085031214 1563985344 7253455434 Add the machine SID prefix S 1 5 21 1085031214 1563985344 725345543Other Uses edit The machine SID is also used by some free trial programs such as Start8 to identify the computer so that it cannot restart the trial citation needed Service SIDs editService SIDs are a feature of service isolation a security feature introduced in Windows Vista and Windows Server 2008 12 Any service with the unrestricted SID type property will have a service specific SID added to the access token of the service host process The purpose of Service SIDs is to allow permissions for a single service to be managed without necessitating the creation of service accounts an administrative overhead Each service SID is a local machine level SID generated from the service name using the following formula S 1 5 80 SHA 1 service name in upper case encoded as a href UTF 16 html title UTF 16 UTF 16 a The a href Sc command html class mw redirect title Sc command sc exe a command can be used to generate an arbitrary service SID The service can also be referred to as NT SERVICE lt service name gt e g NT SERVICE dnscache Duplicated SIDs editThis article s tone or style may not reflect the encyclopedic tone used on Wikipedia See Wikipedia s guide to writing better articles for suggestions April 2009 Learn how and when to remove this template message In a Workgroup of computers running Windows NT 2K XP it is possible for a user to have unexpected access to shared files or files stored on a removable storage This can be prevented by setting access control lists on a susceptible file such that the effective permissions is determined by the user SID If this user SID is duplicated on another computer a user of a second computer having the same SID could have access to the files that the user of a first computer has protected This can often happen when machine SIDs are duplicated by a disk clone common for pirate copies The user SIDs are built based on the machine SID and a sequential relative ID When the computers are joined into a domain Active Directory or NT domain for instance each computer is provided a unique Domain SID which is recomputed each time a computer enters a domain This SID is similar to the machine SID As a result there are typically no significant problems with duplicate SIDs when the computers are members of a domain especially if local user accounts are not used If local user accounts are used there is a potential security issue similar to the one described above but the issue is limited to the files and resources protected by local users as opposed to by domain users Duplicated SIDs are usually not a problem with Microsoft Windows systems although other programs that detect SIDs might have problems with its security Microsoft used to provide Mark Russinovich s NewSID utility as a part of Sysinternals to change a machine SID 13 It was retired and removed from download on November 2 2009 Russinovich s explanation is that neither him nor the Windows security team could think of any situation where duplicate SIDs could cause any problems at all because machine SIDs are never responsible for gating any network access 14 At present the only supported mechanism for duplicating disks for Windows operating systems is through use of SysPrep which generates new SIDs See also editAccess control Access Control Matrix Discretionary Access Control DAC Globally Unique Identifier GUID Mandatory Access Control MAC Role Based Access Control RBAC Capability based security Post cloning operationsReferences edit Well known security identifiers in Windows operating systems support microsoft com Retrieved 12 December 2019 openspecs office MS DTYP Well Known SID Structures docs microsoft com Retrieved 2020 09 03 See Custom Principals section on https msdn microsoft com en us library aa480244 aspx Larry Osterman s WebLog Example impact of Microsoft Accounts on Windows APIs in Windows 8 8 1 Windows SDK Support Team Blog blogs msdn microsoft com a b Security identifiers support microsoft com 28 August 2021 Retrieved 2020 09 02 a b Some SIDs do not resolve into friendly names support microsoft com 24 September 2021 Retrieved 2020 09 02 lastnameholiu Capability SID Constants Winnt h Win32 apps docs microsoft com Retrieved 2020 09 02 Accounts Everywhere part 1 Virtual Accounts 1E 2017 11 24 Retrieved 2020 09 02 IIS AppPool Identity SIDs winterdom 2020 09 02 MS TechNet NewSID Utility How It Works Knowledge Base Microsoft November 1 2006 Retrieved 2008 08 05 Windows Service Isolation Feature Article Windows IT Pro June 6 2012 Retrieved December 7 2012 NewSID v4 10 Windows Sysinternals Microsoft 2006 11 01 Russinovich Mark 2009 11 03 The Machine SID Duplication Myth TechNet Blogs Microsoft External links editOfficial ObjectSID and Active Directory Microsoft TechNet Server 2003 Security Identifiers Technical Reference MSKB154599 How to Associate a Username with a Security Identifier MSKB243330 Well known security identifiers in Windows operating systems Support tools for Windows Server 2003 and Windows XP Security Identifiers Windows Security docs Other Why Understanding SIDs is Important Microsoft Security Descriptor SID Attributes Tutorial Article about SID handling converting in scripts Retrieved from https en wikipedia org w index php title Security Identifier amp oldid 1177797159, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.