请输入您要查询的百科知识:

 

词条 Security Identifier
释义

  1. Overview

  2. Identifier Authority Values

  3. Duplicated SIDs

  4. Machine SIDs

      Decoding Machine SID    Other Uses  

  5. Service SIDs

  6. See also

  7. References

  8. External links

In the context of the Microsoft Windows NT line of operating systems, a Security Identifier (commonly abbreviated SID) is a unique, immutable identifier of a user, user group, or other security principal. A security principal has a single SID for life (in a given domain), and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed (for example, from "Jane Smith" to "Jane Jones") without affecting the security attributes of objects that refer to the principal.

Overview

Windows grants or denies access and privileges to resources based on access control lists (ACLs), which use SIDs to uniquely identify users and their group memberships. When a user logs into a computer, an access token is generated that contains user and group SIDs and user privilege level. When a user requests access to a resource, the access token is checked against the ACL to permit or deny particular action on a particular object.

SIDs are useful for troubleshooting issues with security audits, Windows server and domain migrations.

The format of a SID can be illustrated using the following example: "S-1-5-21-3623811015-3361044348-30300820-1013";

S 1 5 21-3623811015-3361044348-30300820 1013
The string is a SID. The revision level (the version of the SID specification). The identifier authority value. Domain or local computer identifier A Relative ID (RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater.

Identifier Authority Values

{{Expand list|date=May 2016}}

Possible identifier authority values are{{Citation needed|date=May 2016}}:

DecimalNameDisplay NameFirst IntroducedReferencesNotes
0Null Authoritye.g. "Nobody"
1World Authority(not shown)e.g. well known groups such as "Everyone".
2Local Authority(not shown)e.g. flag SIDs like "CONSOLE LOGON"
3Creator Authority
4Non-unique Authority
5NT AuthorityNT AUTHORITY\\Managed by the NT security subsystem. There are many sub-authorities such as "BUILTIN" and every Active Directory Domain
9Resource Manager AuthorityWindows Server 2003[1][2]
11Microsoft Account AuthorityMicrosoftAccount\\date=May 2016}}
12Azure Active DirectoryAzureAD\\Windows 10
16Mandatory Label\\Windows VistaUsed as part of Mandatory Integrity Control

Duplicated SIDs

{{Tone|date=April 2009}}

In a Workgroup of computers running Windows NT/2K/XP it is possible for a user to have unexpected access to shared files or files stored on a removable storage. This can be circumvented by setting access control lists on a susceptible file. Then the effective permissions can be determined by the user SID. If this user SID is duplicated on another computer (because the computer SID is duplicated and because the user SIDs are built based on the computer SID and a sequential number), a user of a second computer having the same SID could have access to the files that the user of a first computer has protected.

When the computers are joined into a domain (Active Directory or NT domain for instance), each computer has a unique Domain SID which is recomputed each time a computer enters a domain. Thus there are typically no significant problems with duplicated SIDs when the computers are members of a domain, especially if local user accounts are not used. If local user accounts are used, there is a potential security issue similar to the one described above, but the issue is limited to the files and resources protected by local users, as opposed to by domain users.

Duplicated SIDs are usually not a problem with Microsoft Windows systems. Microsoft used to provide the '"NewSID" utility to change a machine SID.[3]

Other programs that detect SIDs might have problems with its security.

After NewSID's retirement, Microsoft engineer Mark Russinovich posted an article on his blog[4] explaining the retirement of the NewSID stating that neither he nor the Windows security team could think of any situation where duplicate SIDs could cause any problems at all, against commonly accepted wisdom.

On November 1, 2009, Microsoft added the following to the NewSID download page:

{{blockquote|Note: NewSID will be retired from Sysinternals on November 2, 2009.}}

At present, the only supported mechanism for duplicating disks for Windows operating systems is through use of SysPrep.

Machine SIDs

The machine SID is stored in the SECURITY registry hive located at SECURITY\\SAM\\Domains\\Account, this key has two values F and V. The V value is a binary value that has the computer SID embedded within it at the end of its data (last 96 bits).[5]

  • "NewSID ensures that this SID is in a standard NT 4.0 format (3 32-bit subauthorities preceded by three 32-bit authority fields). Next, NewSID generates a new random SID for the computer. NewSID's generation takes great pains to create a truly random 96-bit value, which replaces the 96-bits of the 3 subauthority values that make up a computer SID."
    • From NewSID readme.

Decoding Machine SID

{{quote|text=The SID number is used in file, registry, service and users permissions. The machine SID is determined in hexadecimal form from here:
  • regedit.exe: \\HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\V (last 12 bytes)
  • explorer.exe: \\%windir%\\system32\\config\\SAM

If the SAM file is missing at startup, a backup is retrieved in hexadecimal form here:

  • regedit.exe: \\HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\PolAcDmS\\@ (last 12 bytes)
  • explorer.exe: \\%windir%\\system32\\config\\SECURITY

Sometimes the SID number is referenced in decimal form.

[6]}}

Example
2E,43,AC,40,C0,85,38,5D,07,E5,3B,2B
1) Divide the bytes into 3 sections:
2E,43,AC,40 - C0,85,38,5D - 07,E5,3B,2B
}}
2) Reverse the order of bytes in each section:
40,AC,43,2E - 5D,38,85,C0 - 2B,3B,E5,07
}}
3) Convert each section into decimal:
1085031214 - 1563985344 - 725345543
}}
4) Add the machine SID prefix:
S-1-5-21-1085031214-1563985344-725345543
}}

Other Uses

The machine SID is also used by some free-trial programs, such as Start8 to prevent a computer restarting the trial, though experienced users can easily change the machine SID.{{Citation needed|date=August 2018}}

Service SIDs

Service SIDs are a feature of service isolation, a security feature introduced in Windows Vista and Windows Server 2008.[7]

Any service with the "unrestricted" SID-type property will have a service-specific SID added to the access token of the service host process.

The purpose of Service SIDs is to allow permissions for a single service to be managed without necessitating the creation of service accounts, an administrative overhead.

Each service SID is a local, machine-level SID generated from the service name using the following formula:

S-1-5-80-{SHA-1(service name in upper case)}

The sc.exe utility can be used to generate an arbitrary service SID:

sc.exe showsid dnscache

NAME: dnscache

SERVICE SID: S-1-5-80-859482183-879914841-863379149-1145462774-2388618682

STATUS: Active

The service can also be referred to as NT SERVICE\\ (e.g. "NT SERVICE\\dnscache").

See also

  • Access control
  • Access Control Matrix
  • Discretionary Access Control (DAC)
  • Globally Unique Identifier (GUID)
  • Mandatory Access Control (MAC)
  • Role-Based Access Control (RBAC)
  • Capability-based security
  • Post-cloning operations

References

1. ^See "Custom Principals" section on https://msdn.microsoft.com/en-us/library/aa480244.aspx
2. ^http://blogs.msdn.com/larryosterman/archive/2004/09/01/224051.aspx
3. ^{{cite web | url = https://technet.microsoft.com/en-us/sysinternals/bb897418.aspx | title = NewSID v4.10 | work = Windows Sysinternals | date = 2006-11-01 | publisher = Microsoft}}
4. ^{{cite web | url = http://blogs.technet.com/markrussinovich/archive/2009/11/03/3291024.aspx | title = The Machine SID Duplication Myth | first = Mark | last = Russinovich | authorlink = Mark Russinovich | date = 2009-11-03 | publisher = Microsoft | work = TechNet Blogs}}
5. ^{{cite web|url=https://technet.microsoft.com/en-us/sysinternals/bb897418.aspx|title=MS TechNet NewSID Utility - How It Works|work=Knowledge Base|publisher=Microsoft|date=November 1, 2006|accessdate=2008-08-05}}
6. ^Security Accounts Manager, clark@hushmail.com
7. ^{{cite web|url=http://www.windowsitpro.com/article/authentication/windows-service-isolation-143215|title=Windows Service Isolation Feature|work=Article|publisher=Windows IT Pro|date=June 6, 2012|accessdate=December 7, 2012}}

External links

  • Official
    • ObjectSID and Active Directory
    • [https://technet.microsoft.com/en-us/library/cc782090.aspx Microsoft TechNet: Server 2003: Security Identifiers Technical Reference]
    • MSKB154599: How to Associate a Username with a Security Identifier
    • MSKB243330: Well-known security identifiers in Windows operating systems
    • Support tools for Windows Server 2003 and Windows XP
  • Other
    • Why Understanding SIDs is Important
    • Microsoft Security Descriptor (SID) Attributes : Tutorial Article about SID handling / converting in scripts

4 : Identifiers|Microsoft Windows security technology|Unique identifiers|Windows NT architecture
随便看

 

开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。

 

Copyright © 2023 OENC.NET All Rights Reserved
京ICP备2021023879号 更新时间:2024/9/20 18:48:54