Friday, April 1, 2016

SID - Security Identifier

Everybody shall have some idea of what a SID (security identifier) is.
There are plenty of information about SIDs on the Internet.

I do not intend to bore anyone copying and pasting, but the fact is or seems to be that information is split and scattered making it difficult to be used. I do not intend to touch on the subject of its implementation details.

What it seems more reasonable in addition to a basic understanding of its purpose, which everybody already or should know well, is its very basic structure and well-known values (generics) as used by Windows systems to which interoperability is required at some point, typically on ACLs of SMB shares.

As most things in Windows world, SIDs are also confusing, both with respect to its own concepts and with respect to other affine concepts such as GUIDs and so on... The bad news is that of course this is probably not getting any better in the near future. So we have to live with it :-(

What I'll attempt is summarizing what's found (at least for now) (at the time of this writing) on two Microsoft sources (MSDN API and References section 2.4.2 and Support KB243330). I believe that the way I display the information is better than what's found on these official references. Anyway...

BASIC STRUCTURE

As you may already have noted, a SID has variable length but always start with the letter S in a prefix that is usually S-1. What this means is that we are dealing with a version 1 SID (I still haven't seen nor have had any interest in looking for other versions).

What follows (separated by another dash) is called the Authority. Please, don't ask me why (I didn't invent this) it's called like that nor if it makes any sense to have such ones numbered and named as follows:
  • 0 - Null
  • 1 - World
  • 2 - Local
  • 3 - Creator
  • 4 - Non-unique
  • 5 - NT
  • other unknowns: 15, 16, 18

What shall more frequently appears hence is the prefix S-1-5.

The following remaining parts (delimited by dashes) of the SID are called SubAuthorities (so, at a minimum, one infers, presumes, each one is dependent on the other that follows).

If the first SubAuthority, in general (as there are exceptions as for the 84!), is the 21 (you know, don't ask me why this value!), then it will be necessarily followed by three more SubAuthorities which together will denote a certain domain (or a machine). It may happen that the domain be, in fact, the root domain (the first domain that is created in an Active Directory forest infrastructure).

So, it will be usual to come to a SID that starts with something such as:
S-1-5-21-1111111111-222222222-3333333333
where (the three fictitious SubAuthorities delimited by dashes):
1111111111-222222222-3333333333
denote (identify) a certain domain or machine.

Finally, the last SubAuthority (but again there are exceptions, such as on the SID 1-5-5-X-Y), that follows the domain / machine id (if Authority = 21) or the Authority id itself (in the remaining cases), is called RID (the relative identifier). The RID, is what ultimately distinguishes one SID from another, that is, ascertain the uniqueness of a SID. It seems that values under 1000 are reserved for the system.

For example, the complete SID denoting respectively a user and a group within the previous example could be:
S-1-5-21-1111111111-222222222-3333333333-1100
S-1-5-21-1111111111-222222222-3333333333-2147483658

WELL-KNOWNS (Yellow Pages)

These well-known SID values are constant across all operating systems.
They typically represent generic identities on Windows.
A few are also relevant in terms of interoperability.
Windows NT, 2000 and later
                                                                                                               


S-1-0
         
           Null Authority
S-1-0-0                  Nobody

S-1-1                    World Authority
S-1-1-0       
           Everyone

S-1-2         
           Local Authority
S-1-2-0       
           Local
S-1-2-1       
           Console Logon

S-1-3         
           Creator Authority
S-1-3-0   
              Creator Owner
S-1-3-1   
              Creator Group
S-1-3-2     
             Creator Owner Server
S-1-3-3     
             Creator Group Server
S-1-3-4     
             Owner Rights

S-1-4       
             Non-unique Authority

S-1-5       
             NT Authority
S-1-5-1     
             Dialup
S-1-5-2     
             Network
S-1-5-3      
            Batch
S-1-5-4      
            Interactive
S-1-5-5-X-Y   
           Logon Session
S-1-5-6     
             Service
S-1-5-7     
             Anonymous
S-1-5-8   
              Proxy
S-1-5-9       
           Enterprise Domain Controllers
S-1-5-10   
              Principal Self
S-1-5-11
                 Authenticated Users
S-1-5-12                
Restricted Code
S-1-5-13                
Terminal Server Users
S-1-5-14                
Remote Interactive Logon
S-1-5-15                
This Organization
S-1-5-17                
This Organization
S-1-5-18                
Local System
S-1-5-19                
NT Authority
S-1-5-20                
NT Authority

S-1-5-21-domain-500     
Administrator
S-1-5-21-domain-501     
Guest
S-1-5-21-domain-502     
KRBTGT
S-1-5-21-domain-512     
Domain Admins
S-1-5-21-domain-513     
Domain Users
S-1-5-21-domain-514     
Domain Guests
S-1-5-21-domain-515     
Domain Computers
S-1-5-21-domain-516     
Domain Controllers
S-1-5-21-domain-517     
Cert Publishers
S-1-5-21-rootdomain-518 
Schema Admins
S-1-5-21-rootdomain-519 
Enterprise Admins
S-1-5-21-domain-520     
Group Policy Creator Owners
S-1-5-21-domain-553     
RAS and IAS Servers

S-1-5-32-544            
Administrators
S-1-5-32-545            
Users
S-1-5-32-546            
Guests
S-1-5-32-547            
Power Users
S-1-5-32-548            
Account Operators
S-1-5-32-549            
Server Operators
S-1-5-32-550            
Print Operators
S-1-5-32-551            
Backup Operators
S-1-5-32-552            
Replicators

S-1-5-64-10      
        NTLM Authentication
S-1-5-64-14      
        SChannel Authentication
S-1-5-64-21      
        Digest Authentication

S-1-5-80      
           NT Service
S-1-5-80-0     
          All Services
S-1-5-80-0      
         NT SERVICES \ ALL SERVICES

S-1-5-83-0      
         NT VIRTUAL MACHINE \ Virtual Machines

S-1-16-0      
           Untrusted Mandatory Level
S-1-16-4096   
          Low Mandatory Level
S-1-16-8192     
         Medium Mandatory Level
S-1-16-8448      
        Medium Plus Mandatory Level
S-1-16-12288      
       High Mandatory Level
S-1-16-16384      
       System Mandatory Level
S-1-16-20480
       
      Protected Process Mandatory Level
S-1-16-28672
      
       Secure Process Mandatory Level

In the next three sections that follows:
 
  • Rember that the "operations master" is also known as
    the flexible single master operations (FSMO).
     
  • The groups that are listed appear as SIDs until the respective Windows Server domain controller is made the primary domain controller (PDC) operations master role holder.
     
  • The additional built-in groups that are listed are created when the respective Windows Server domain controller is added to the domain.


Windows Server 2003
                                                                                                                                  

S-1-5-32-554             BUILTIN \ Pre-Windows 2000 Compatible Access
S-1-5-32-555             BUILTIN \ Remote Desktop Users
S-1-5-32-556            
BUILTIN \ Network Configuration Operators
S-1-5-32-557            
BUILTIN \ Incoming Forest Trust Builders
S-1-5-32-558            
BUILTIN \ Performance Monitor Users
S-1-5-32-559            
BUILTIN \ Performance Log Users
S-1-5-32-560            
BUILTIN \ Windows Authorization Access Group
S-1-5-32-561            
BUILTIN \ Terminal Server License Servers
S-1-5-32-562            
BUILTIN \ Distributed COM Users  


Windows Server 2008 (or R2)
                                                                                                                                  

S-1-5-21-rootdomain-498  Enterprise Read-only Domain Controllers 
S-1-5-21-domain-521      Read-only Domain Controllers
S-1-5-21-domain-571      Allowed RODC Password Replication Group
S-1-5-21-domain-572     
Denied RODC Password Replication Group

S-1-5-32-568             BUILTIN \ IIS_IUSRS
S-1-5-32-569            
BUILTIN \ Cryptographic Operators
S-1-5-32-573            
BUILTIN \ Event Log Readers
S-1-5-32-574            
BUILTIN \ Certificate Service DCOM Access


Windows Server 2012
                                                                                                                                  

S-1-5-21-0-0-0-496       COMPOUNDED_AUTHENTICATION
S-1-5-21-0-0-0-497      
CLAIMS_VALID
S-1-5-21-domain-522     
Cloneable Domain Controllers
S-1-5-21-domain-525     
PROTECTED_USERS

S-1-5-32-575            
BUILTIN \ RDS Remote Access Servers
S-1-5-32-576            
BUILTIN \ RDS Endpoint Servers
S-1-5-32-577            
BUILTIN \ RDS Management Servers
S-1-5-32-578            
BUILTIN \ Hyper-V Administrators
S-1-5-32-579            
BUILTIN \ Access Control Assistance Operators
S-1-5-32-580            
BUILTIN \ Remote Management Users

S-1-5-33                
WRITE_RESTRICTED_CODE
S-1-5-65-1              
THIS_ORGANIZATION_CERTIFICATE
S-1-5-84-0-0-0-0-0      
USER_MODE_DRIVERS
S-1-5-113               
LOCAL_ACCOUNT
S-1-5-114               
LOCAL_ACC_AND_MEMBER_OF_ADMIN_GRP
S-1-5-1000               
OTHER_ORGANIZATION

S-1-15-2-1               ALL_APP_PACKAGES

S-1-18-1                
AUTH_AUTH_ASSERTED_IDENTITY
S-1-18-2                
SERVICE_ASSERTED_IDENTITY
   

Friday, March 25, 2016

W2K & NFSv4 ACL mapping

This post is a development of another post, SMB & NFSv4 ACL mapping. It's specific to the Windows 2000 (and later) family systems. If necessary, please, check back the aforementioned "parent" post.

My discussion will be based on the following minimal scenario:
(box-01 is a Solaris 11.3 acting as a Windows 2000 Server)
 


























The graphical interface of the (directory and files) unified ACL editor (Properties | Security) seems good to manage basic settings such as: List Folder Contents, Read & Execute, Modify and Full Control. But it is impossible to get the big picture at once, it may be confusing for handling inheritance and it mixes in more complex permissions sets. The point is: it should allow us to see the permissions for all names at once, it shouldn't have the confusing Read and Write options and it should have a more objective approach (other than the confusing dimmed or grayed out checkboxes alongside the Allow inheritable... checkbox) on the inheritance status. And on top of all this, by clicking on the checkboxes on a certain order (check Modify then clear Write, you would expect to be left with Read & Execute but you don't!) it's possible to mistakenly generate unwanted special permissions.
 




























Unfortunately, the design of the Advanced option, entitled Access Control Settings is also bad because it adopts horizontal scrolling (which is terrible; they don't even persist the tedious adjustments of the listview columns that someone does in order to better see all the information without scrolling) instead of more concise graphical elements and filtering, or even a resize-able dialog, in order to really help an administrator do its job. Bottom line is it's also cumbersome as the basic one. Again, unfortunately, especially because Windows is so centric on ergonomics and GUI design. It's like this area has been greatly overlooked or treated with laziness (many out there could do a lot better than that...).
 




























Still similarly to what I have done for Windows NT 4.0 (and before) let's initially focus just on the permissions sets that are displayed on the basic (Properties | Security) dialog.

The first thing to note is that the legacy permission flags (R, W, X, D, P and O) have all gone. They were replaced by other 13 (frequently even more confusing) flags which have no compact names but just descriptions and are only accessible after yet another click and more scrolling and a bunch more clicks. As you can see, a nightmare (I'm still not sure if they really wanted to discourage people or hide their mess, perhaps both, but there would be better ways, but, that's Windows!). In order to help put things in order we have the following 1-1 mapping between the each NFSv4 and Windows permission flag:
 
















To help even more here is a mapping for the Windows 2000 basic permission sets dialog together with each flag setting, bor for the unnamed Windows flags and the UNIX NFSv4 ACLs (for simplicity here I'm intentionally omitting the name of the associated user or group that should be prefixed to each UNIX ACL and I'm also representing the 13 Windows flags as an ordered row resulting from a counter-clockwise rotation of 90°): 




Full Control

+Modify   +Read & Execute   +List Folder Contents   +Read   +Write

      
                
rwxpdDaARWcCos:fd-----:allow



Modify

+Read & Execute   +List Folder Contents   +Read   +Write

              
          rwx
pd-aARWc--s:fd-----:allow



Read & Execute

+List Folder Contents   +Read

           
             r-x---a-R-c--
s:fd-----:allow



List Folder Contents


                        r-x---a-R-c--s:-d-----:allow



Read


                        r-----a-R-c--s:fd-----:allow



Write


                        -w-p---A-W---s:fd-----:allow

NOTE
The preceding series of ACLs is formatted in terms of directory permissions but the same translation applies to file permissions (except, of course, List Folder Contents) if you disregard the respective ACL inheritance flags (between both colons in my listing) which contains an f and/or d. For instance, the Full Control for a file is depicted by rwxpdDaARWcCos:-------:allow, but depending on the inheritance it may show a trailing I inheritance flag.

NOTE
If needed, the Add & Read permission set from Windows NT 4.0 (and before)  must be manually created from the scratch by adding the following two permission sets to the desired user and directory:

r-x---a-R-c--s:f-i----:allow
rwxp--aARWc--s:-d-----:allow

Which, in other words, basically means:

Read & Execute for files and
Read, Write & Execute for directories (not their contents).

NOTE
As a variation of the Add & Read permission set above it could be interesting to have the possibility to add a folder just to a certain subtree root (or share) while all other permissions are inherited (as for giving read access to a group and so on). In that case, it's assumed (of course) that amongst the inherited permissions is the Full Control for the CREATOR OWNER identity. The permission that has to be added to the desired subtree root is:

r-xp--a-R-c--s:-------:allow

Well, beyond all the above, who knows, maybe someone can devise some useful and unanticipated sort of special access, but in general what's been seen is pretty much all about that.

With the knowledge of this post, it's not necessary to resort to a Windows box in order to set meaningful permissions according to Windows by using its GUI editors. You can do it from a Solaris 11.3 shell by using chmod(1).
   

Thursday, March 24, 2016

NT4 & NFSv4 ACL mapping

This post is a development of another post, SMB & NFSv4 ACL mapping. It's specific to the Windows NT 4.0 (and before) family systems. If necessary, please, check back the aforementioned "parent" post.

The graphical interface of the ACL editors (Directory Permissions and File Permissions) are powerful yet reasonably nice, simple, concise and straightforward. And I mostly like it.























Let's focus just on the permissions sets which are listed on the "second colon" of the listboxes labeled Name for each user or group to which the ACL is to be enforced.

The first thing to note is that Directories Permissions have two pairs of parenthesis while Files Permissions just have one. On the former, the first pair of parenthesis refers to the permissions that apply just to the directory (not the files in it), while the second pair of parenthesis refers to the permissions of the (current or new) files in the directory (depending on the setting of the checkbox which text is Replace Permissions on Existing Files).

The second thing to note is that most of the permissions sets that are list on the dropdown-listbox labeled Type of Access are the "standard" ones (according to Windows). Whatever deviates from these is considered a Special Access case and treated accordingly in the interface.

The third thing to note is that on this world, exactly 6 permission flags (independent among each other) are recognized and they are as follows (but there are a few caveats around their names and effective meanings as it shall become more clear on the permissions sets below):

       Permission Flag
    R  Read 
    W  Write 
    X  Execute 
    D  Delete 
    P  Change Permissions 
    O  Take Ownership

The fourth thing to note is that from the Windows GUI ACL editors there's no direct way of telling if an ACL is being inherited or not. The rule is that if you override any ACL for a file system object than then what's previously inherited is copied alongside what's been changed.

Still solely from the Windows perspective let's summarize the ("standard", except for the Special Access) permissions sets as they are recognized by the system:

For directories:
                        Permission Set 
   (None  )   (None  )  No Access
   (R_X___)   (None  )  List
   (R_X___)   (R_X___)  Read
   (_WX___)   (None  )  Add
   (RWX___)   (R_X___)  Add & Read 
   (RWXD__)   (RWXD__)  Change
   (All   )   (All   )  Full Control
   (Other )   (Other )  Special Access


For files:
                        Permission Set 
              (None  )  No Access
              (R_X___)  Read 
              (RWXD__)  Change 
              (All   )  Full Control
              (Other )  Special Access
 

Now from the UNIX NFSv4 ACLs perspective each of the above permission set (interestingly) translates into the following (for simplicity here I'm intentionally omitting the name of the associated user or group that should be prefixed to each ACL):

No Access

 (None)(None)           rwxpdDaARWcCos:f-i----:deny
                        rwxpdDaARWcCos:-d-----:deny 
List

 (RX)(Not Specified)    r-x---a-R-c--s:-d-----:allow
Read

 (RX)(RX)               r-x---a-R-c--s:f-i----:allow
                        r-x---a-R-c--s:-d-----:allow
Add

 (WX)(Not Specified)    -wxp--aA-Wc--s:-d-----:allow
Add & Read

 (RWX)(RX)              r-x---a-R-c--s:f-i----:allow
                        rwxp--aARWc--s:-d-----:allow
Change

 (RWXD)(RWXD)           rwxpd-aARWc--s:f-i----:allow
                        rwxpd-aARWc--s:-d-----:allow
Full Control

 (All)(All)             rwxpdDaARWcCos:f-i----:allow
                        rwxpdDaARWcCos:-d-----:allow

NOTE
The preceding series of ACLs is formatted in terms of directory permissions but the same translation applies to file permissions if you consider just the second pair of parenthesis and the respective ACL inheritance flags (between both colons in my listing) which contain an f but removing both the f and i. For instance, the Full Control for a file is depicted by the ACL rwxpdDaARWcCos:-------:allow

So, as one can see, for directories, except when (Not Specified) is involved, each pair of parenthesis actually translates into 2 NFSv4 ACLs, one for the directory (which contains the d flag) and another (which contains the f flag) for files (for being implictly inherited by new files or overriden in existing files within the directory, this last case depending on the checkbox which text is Replace Permissions on Existing Files).

For attempting the ultimate fine-grained ACL mapping between NT4 and UNIX I'll put the following (hopefully) final listing of this (long) post:
 
 (Special Access)(R)    r-----a-R-c--s:-------:allow
 (Special Access)(W)    -w-p---A-Wc--s:-------:allow
 (Special Access)(X)    --x---a---c--s:-------:allow
 (Special Access)(D)    ----d--------s:-------:allow
 (Special Access)(P)    -----------C-s:-------:allow
 (Special Access)(O)    ------------os:-------:allow

Well, beyond all the above, who knows, maybe someone can devise some useful and unanticipated sort of special access, but in general what's been seen is pretty much all about that.

With the knowledge of this post, it's not necessary to resort to a Windows box in order to set meaningful permissions according to Windows by using its GUI editors. You can do it from a Solaris 11.3 shell by using chmod(1).