Tuesday, December 24, 2013

Security Identifiers in Microsoft Windows

A Security Identifier is an alphanumeric (mostly numeric) string that is used to represent a security principal. A security principal may be a user, group, computer, or a service.

   Subject(Security Principal)-------Accesses-------->Objects

Each object (File is an example of an object) in Microsoft windows has an associated Access Control List (ACL). When we assign permissions to a security principal over an object, the operating system writes the permissions in the ACL against the security principal's security identifier.

Security Identifiers are part of the ticket granting server in a domain. Inside a domain the SID is always unique (it may not be unique universally)

Composition of an SID

Below are 3 examples of SIDs:

S-1-5-80-2639291829-767035215-3510963033-3734144485-3832470211
S-1-5-80-167798707-2992289499-228648626-2823606389-3827609590
S-1-5-80-1591580229-2093530990-3506924748-295743206-3912932562

SIDs may seem complex and very difficult to understand the composition of the SID you will be able to tell what this SID means. As a Microsoft Windows professional you should have at least a basic understanding of the SID and its composition. The following points explain the position from left to right.


1 - All SID's begin with the letter 'S', so whenever you come across an SID it will begin with an 'S'.

2 - SID's always end with Relative Identifiers (RIDs). RID's are identifiers for security principals. Some popular RIDs are given below:

The last component of the SID is the Relative Identifier. A relative identifier is a number used to uniquely identify a security principal in a scope. The scope maybe a standalone system or a domain. In a stand alone machine the RID is created by the Local Security Authority (LSA) in a domain the RID is created by the Active Directory. The RIDs can be best explained by the following list of popular RIDs in Windows:

User: Administrator, RID:500
User:Guest, RID: 501
User:Domain Admins, RID: 512
User: Built-in Administrators, RID:544

From the above example you will see that the RIDs are not just for users, but for groups as well, in fact they services have RIDs as well the SID: S-1-5-6 tells that the SID holder is a SERVICE. Here 6 is the RID for the SERVICE identifier.

3 - The second component of the SID is the revision level. Currently (as of Windows Server 2008 R2) the revision is 1, so for all the SIDs you come across, the SID will begin with S-1

4 - The next component is the SID issuing authority. This tells you what sort of scope the SID belongs to. If this value is set to 5 then a domain controller is the one who issued this SID. SIDs of all Security Principals which are a part of a domain will begin with S-1-5.

5 - The next component is the sub-authority if it is 32 then it refers to something that is built in to the domain. Like if it is the SID for the built-in administrator of a Domain then the SID will be S-1-5-32-544, where 544 is the RID for the Built-in domain administrator. The Built-in administrator means the administrator user of a domain which is created automatically when a domain is created. The number of sub-authorities is not fixed there can be many sub-authorities in an SID. The sub-authority chain can be explained with the help of the folling diagram of the SID structure.

  
                                           Figure1: Components of a Security Identifier
   
The chain of sub-authorities uniquely identifies the domain/sub-domain in a Enterprise.

Majority of the SIDs that are associated with users begin with S-1-5-21 as the IDs of users within a domain/tree (scope) are not guaranteed to be universally unique.


Uniquness of an SID

This domain identifier may not be globally/universally unique as an indentifier for a domain/sub-domain with the exact same values may be present in another enterprise.
The SIDs do not claim to be unique universally. The S-1-32-544 will be the same for all domains. There will not be a clash as the space in which an SID for built-in administrator is disjoint from the space in which another domain might use the same SID for assigning permissions.

About the Author: Saquib Farooq Malik, is a senior Information Security Consultant at ITButler e-Services(www.itbutler.com.au) . Saquib Specializes in Vulnerability Assessment and Penetration Testing, implementations of ISO 27001 in different corporate environments in the Middle East.
He is a CISSP, an ITILv3 Foundation certified professional, ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension Certified Engineer.

No comments:

Post a Comment