Friday, November 9, 2012

Understanding SIDs

Sometimes times while we are working in the ACL of an object in any computer (especially a domain computer), we found one or more entries with the following format: S-1-5-21-1934748396-2879691208-1016013054-1145 (If our computers are slow enough, we are able to see those numbers before they turn into the actual user or group names).

Those numbers are known as security identifiers and represent a security principal in any Windows computer. Security principal? Ok, let’s start again.

The security model of Windows is based on the subject-action-object tuple. For instance, John Smith (the subject) needs to read documents (the action) in the accounting folder (the object). I’ll talk later about actions and objects, let’s focus now on subjects. Subjects are any entities that can be granted permissions to access an object, they can be users, groups or services. In the Windows language, subjects are Security Principals and each Security Principal has a unique identifier: a SID.

SIDs are composed by the following elements:
Literal “S” - <Revision Level> - <Identifier Authority> - <First Sub Authority + other Sub Authorities> - <Relative Identifier>

Confusing? Let’s check what each part means:
  • Literal “S”: All SIDs starts with an “S” which I think it means the identifier is a Security Identifier”.
  •  <Revision Level>: currently is always 1.
  • <Identifier Authority>: Denotes which entity has issued the SID. Don’t think about the Identifier Authority as an actual object (server, domain, etc.), but as an abstract identity that represents the world (everybody), a local authority (the actual system), a creator (a subject that creates objects) or the NT authority (the actual Windows operating system).Thus, the following values are valid for the Identifier Authority component:

SECURITY_NULL_SID_AUTHORITY. Used when the identifier authority is unknown. For instance, the SID S-1-0-0 represents Nobody (no security principal)
SECURITY_WORLD_SID_AUTHORITY. Used for SIDs that represent all users. For instance, the group Everyone has the following SID: S-1-1-0
SECURITY_LOCAL_SID_AUTHORITY. Used to represent users who logon physically on local terminals. For instance the SID S-1-2-0 represents all users that have logged on locally.
SECURITY_CREATOR_SID_AUTHORTY. When a SID with this Identifier Authority is on the ACL list of an object, it will be replaced by the SID of the user of group on the inheritable objects. (I will create a post about this later).
SECURITY_NT_SID_AUTHORITY. The actual Windows operating system. All the users you’ll create will start with S-1-5
  •  <First Sub Authority + other Sub Authorities>: Denotes a second level of abstract authorities. The most common used values you will see here are:

5 or 6
Represents sessions or processes.
SECURITY_NT_NON_UNIQUE. This is the one you’ll see in the users or groups created in your domain or local computer. They will start with S-1-5-21 and be followed by three other numbers that represent your domain or local computer (see the example at the beginning).
SECURITY_BUILTIN_DOMAIN_RID. Used for SIDs that represent built-in users or groups. For example, the SID S-1-5-32-544 represent the built-in administrators group.
SECURITY_SERVICE_ID_BASE_RID. Used to represent SID for services.
  •  <Relative Identifier>: Also known as RID, is the last part of the SID and represent the actual unique ID of the subject within its authorities. The subjects you’ll create will have s random number as RID, but there are also know RID numbers:

Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Built-In Administrators
Built-In Users
Built-In Guests
Built-In Power Users
Built-In Account Operators
Built-In Print Operators
Built-In Backup Operators
You can see more know SIDs on

Let’s go back to our example at the beginning:

S-1 means it a SID revision level 1.
21 means that it’s a domain or local account.
1934748396-2879691208-1016013054 is the domain ID.
1145 is the unique RID within the domain.

Where are SIDs used?

The main purpose of SIDs is to be used in objects’ ACLs.

How can I get the SID of a subject?

If you are in a domain, you can use the Active Directory Users and Computers snap-in with the advances features enabled (View/Advanced features…) to display the properties of an object and then select its Attribute Editor tab:

You can also use Power Shell:
$user = New-Object System.Security.Principal.NTAccount("Administrator")
$sid = $user.Translate([System.Security.Principal.SecurityIdentifier])

This will get the SID of the local Administrator. If you want to get the SID of a domain subject, use the following script:
$user = New-Object System.Security.Principal.NTAccount(“domain”, "Administrator")
$sid = $user.Translate([System.Security.Principal.SecurityIdentifier])

Lastly, I want to mention that the SIDs are also used in the registry to record the settings and profile of each user. You can see (and edit) them in the HK_USERS key. I actually had an issue a while ago with a user profile that somehow got corrupted. I had to get the SID of the user and manually dig on the registry to delete all references to that profile. After doing that, I was able to recreate the profile (be careful of modifying the registry, this is not the recommended solution of cleaning up a profile and in this case it was the only way I could do it).

I hope you enjoyed this post!

1 comment: