Log in / create account 5

Article Discussion Read Edit View history Search

Main page
Contents
Featured content
Current events
Random article
Donate
Security Identifier
Interaction From Wikipedia, the free encyclopedia
Help
About Wikipedia In the context of the Microsoft Windows NT line of operating systems, a Security Identifier
Community portal (commonly abbreviated SID) is a unique name (an alphanumeric character string) which is assigned
Recent changes by a Windows Domain controller during the log on process that is used to identify a subject, such
Contact Wikipedia as a user or a group of users in a network of NT/2000 systems.

Toolbox Contents [hide]

Print/export 1 Overview
2 Well-known security identifiers
Languages
3 Duplicated SIDs
Català
4 Retirement Notice
Deutsch
5 Machine SIDs
Français
5.1 Decoding Machine SID
Bahasa Indonesia
6 See also
日本語
7 References
Polski
8 External links
Русский

Overview [edit]

Windows grants or denies access and privileges to resources based on access control lists (ACLs),
which use SIDs to uniquely identify users and their group memberships. When a user logs into a
computer, an access token is generated that contains user and group SIDs and user privilege level.
When a user requests access to a resource, the access token is checked against the ACL to
permit or deny particular action on a particular object. 6
permit or deny particular action on a particular object.
5
SIDs are useful for troubleshooting issues with security audits, Windows server and domain
migrations.
The format of an SID can be illustrated using the following example: "S-1-5-21-3623811015-
3361044348-30300820-1013";

21-3623811015-
S 1 5 3361044348- 1013
30300820
a Relative ID (RID). Any group
The The revision level (the The identifier domain or local
or user that is not created by
string is version of the SID authority computer
default will have a Relative ID
a SID. specification). value. identifier
of 1000 or greater.

Possible identifier authority values are:

0 - Null Authority
1 - World Authority
2 - Local Authority
3 - Creator Authority
4 - Non-unique Authority
5 - NT Authority
[1] [2]
9 - Resource Manager Authority

Well-known security identifiers [edit]

A number of "well-known" security identifiers are defined by the operating system so as to ensure
that specific system accounts can always be found. Microsoft maintains a complete list of these
[3]
identifiers in a knowledge base article.

SID Description
S-1-5-18 Local System, a service account that is used by the operating system.
S-1-5-19 NT Authority, Local Service
S-1-5-20 NT Authority, Network Service
A user account for the system administrator. By default, it is the only user
S-1-5-domain-500
account that is given full control over the system.
Guest user account for people who do not have individual accounts. This user
S-1-5-domain-501 account does not require a password. By default, the Guest account is
disabled.
Domain Admins - a global group whose members are authorized to administer 6
 the domain. By default, the Domain Admins group is a member of the 5
S-1-5-domain-512 Administrators group on all computers that have joined a domain, including
the domain controllers. Domain Admins is the default owner of any object that
is created by any member of the group.
S-1-5-domain-513 Domain Users.
Domain Guests - A global group that, by default, has only one member, the
S-1-5-domain-514
domain's built-in Guest account.

Duplicated SIDs [edit]

This article's tone or style may not be appropriate for

Wikipedia. Specific concerns may be found on the talk page.
See Wikipedia's guide to writing better articles for suggestions.
(April 2009)

The problem with duplicated SIDs in a Workgroup of computers running Windows NT/2K/XP is only
related to different user accounts having the same SID. This could lead to unexpected access to
shared files or files stored on a removable storage: If some access control lists are set on a file, the
actual permissions can be associated with a user SID. If this user SID is duplicated on another
computer (because the computer SID is duplicated and because the user SIDs are built based on
the computer SID + a sequential number), a user of a second computer having the same SID could
have access to the files that the user of a first computer has protected.
Now the truth is that when the computers are joined into a domain (Active Directory or NT domain for
instance), each computer has a unique Domain SID which is recomputed each time a computer
enters a domain. Thus there are usually no real problems with Duplicated SIDs when the computers
are members of a domain, especially if local user accounts are not used. If local user accounts are
used, there is a potential security issue that is the same as the one described above when the
computers are members of a Workgroup but that affects only the files and resources protected by
local users, not by domain users.
In other words, duplicated SIDs are usually not a problem with Microsoft Windows systems.
However Microsoft does provide the '"NewSID" utility to change a machine SID. [4]
But other programs that detect SIDs might have problems with its security.
After NewSID's retirement, Microsoft engineer Mark Russinovich posted an article on his blog[5]
explaining the retirement of the NewSID stating that neither he, or the Windows security team, could
think of any situation where duplicate SIDs could cause any problems at all, against commonly
accepted wisdom.

Retirement Notice [edit]

6
On November 1st, 2009, Microsoft added the following to the NewSID download page:
On November 1st, 2009, Microsoft added the following to the NewSID download page: 5
Note: NewSID will be retired from Sysinternals on November 2, 2009.

At present, the only supported mechanism for duplicating disks for Windows operating systems is
through use of SysPrep.

Machine SIDs [edit]

The machine SID is stored in the SECURITY registry hive located at

SECURITY\SAM\Domains\Account, this key has two values F and V. The V value is a binary value
[6]
that has the computer SID embedded within it at the end of its data (Last 96 bits).
"NewSID ensures that this SID is in a standard NT 4.0 format (3 32-bit subauthorities preceded
by three 32-bit authority fields). Next, NewSID generates a new random SID for the computer.
NewSID's generation takes great pains to create a truly random 96-bit value, which replaces the
96-bits of the 3 subauthority values that make up a computer SID."
From NewSID readme.

Decoding Machine SID [edit]

—The SID number is used in file, registry, service and users permissions. The
machine SID is determined in hexadecimal form from here:
regedit.exe -> \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\V (last 12
bytes) explorer.exe -> \%windir%\system32\config\SAM If the SAM file is missing
at startup, a backup is retrieved in hexadecimal form here: regedit.exe ->
\HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAcDmS\@ (last 12 bytes)
explorer.exe -> \%windir%\system32\config\SECURITY Sometimes the SID
number is referenced in decimal form.
Security Accounts Manager, clark @hushmail.com

Example 2E,43,AC,40,C0,85,38,5D,07,E5,3B,2B

1) Divide the bytes into 3 sections: 2E,43,AC,40 - C0,85,38,5D - 07,E5,3B,2B

2) Reverse the order of bytes in

40,AC,43,2E - 5D,38,85,C0 - 2B,3B,E5,07
each section:

3) Convert each section into 6

1085031214 - 1563985344 - 725345543
 1085031214 - 1563985344 - 725345543
decimal: 5

4) Add the machine SID prefix: S-1-5-21-1085031214-1563985344-725345543

See also [edit]

Access control
Access Control Matrix
Discretionary Access Control (DAC)
Globally Unique Identifier (GUID)
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC)
Capability-based security
Post-cloning operations

References [edit]

1. ^ See "Custom Principals" section on http://msdn.microsoft.com/en-us/library/aa480244.aspx

2. ^ http://blogs.msdn.com/larryosterman/archive/2004/09/01/224051.aspx
3. ^ "Well-known security identifiers in Windows operating systems (MSKB 243330)" . Knowledge
Base. Microsoft. February 28, 2007. Retrieved 2007-12-08.
4. ^ "NewSID v4.10" . Windows Sysinternals. Microsoft. 2006-11-01.
5. ^ Russinovich, Mark (2009-11-03). "The Machine SID Duplication Myth" . TechNet Blogs. Microsoft.
6. ^ "MS TechNet NewSID Utility - How It Works" . Knowledge Base. Microsoft. November 1, 2006.
Retrieved 2008-08-05.

External links [edit]

How to Associate a Username with a Security Identifier

NewSID - How to change SID on cloned system
Why Understanding SIDs is Important
Support tools for Windows Server 2003 and Windows XP
Well known SIDs
Microsoft Security Descriptor (SID) Attributes : Tutorial Article about SID handling / converting in
scripts

Categories: Identifiers | Microsoft Windows security technology | Universal identifiers | Windows

NT architecture
6
 5

This page w as last modified on 12 October 2010 at 09:31.

Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. See Terms of
Use for details.
Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization.

Contact us

Privacy policy About Wikipedia Disclaimers