Friday, April 1, 2016

SID - Security Identifier

Everybody shall have some idea of what a SID (security identifier) is.
There are plenty of information about SIDs on the Internet.

I do not intend to bore anyone copying and pasting, but the fact is or seems to be that information is split and scattered making it difficult to be used. I do not intend to touch on the subject of its implementation details.

What it seems more reasonable in addition to a basic understanding of its purpose, which everybody already or should know well, is its very basic structure and well-known values (generics) as used by Windows systems to which interoperability is required at some point, typically on ACLs of SMB shares.

As most things in Windows world, SIDs are also confusing, both with respect to its own concepts and with respect to other affine concepts such as GUIDs and so on... The bad news is that of course this is probably not getting any better in the near future. So we have to live with it :-(

What I'll attempt is summarizing what's found (at least for now) (at the time of this writing) on two Microsoft sources (MSDN API and References section 2.4.2 and Support KB243330). I believe that the way I display the information is better than what's found on these official references. Anyway...

BASIC STRUCTURE

As you may already have noted, a SID has variable length but always start with the letter S in a prefix that is usually S-1. What this means is that we are dealing with a version 1 SID (I still haven't seen nor have had any interest in looking for other versions).

What follows (separated by another dash) is called the Authority. Please, don't ask me why (I didn't invent this) it's called like that nor if it makes any sense to have such ones numbered and named as follows:
  • 0 - Null
  • 1 - World
  • 2 - Local
  • 3 - Creator
  • 4 - Non-unique
  • 5 - NT
  • other unknowns: 15, 16, 18

What shall more frequently appears hence is the prefix S-1-5.

The following remaining parts (delimited by dashes) of the SID are called SubAuthorities (so, at a minimum, one infers, presumes, each one is dependent on the other that follows).

If the first SubAuthority, in general (as there are exceptions as for the 84!), is the 21 (you know, don't ask me why this value!), then it will be necessarily followed by three more SubAuthorities which together will denote a certain domain (or a machine). It may happen that the domain be, in fact, the root domain (the first domain that is created in an Active Directory forest infrastructure).

So, it will be usual to come to a SID that starts with something such as:
S-1-5-21-1111111111-222222222-3333333333
where (the three fictitious SubAuthorities delimited by dashes):
1111111111-222222222-3333333333
denote (identify) a certain domain or machine.

Finally, the last SubAuthority (but again there are exceptions, such as on the SID 1-5-5-X-Y), that follows the domain / machine id (if Authority = 21) or the Authority id itself (in the remaining cases), is called RID (the relative identifier). The RID, is what ultimately distinguishes one SID from another, that is, ascertain the uniqueness of a SID. It seems that values under 1000 are reserved for the system.

For example, the complete SID denoting respectively a user and a group within the previous example could be:
S-1-5-21-1111111111-222222222-3333333333-1100
S-1-5-21-1111111111-222222222-3333333333-2147483658

WELL-KNOWNS (Yellow Pages)

These well-known SID values are constant across all operating systems.
They typically represent generic identities on Windows.
A few are also relevant in terms of interoperability.
Windows NT, 2000 and later
                                                                                                               


S-1-0
         
           Null Authority
S-1-0-0                  Nobody

S-1-1                    World Authority
S-1-1-0       
           Everyone

S-1-2         
           Local Authority
S-1-2-0       
           Local
S-1-2-1       
           Console Logon

S-1-3         
           Creator Authority
S-1-3-0   
              Creator Owner
S-1-3-1   
              Creator Group
S-1-3-2     
             Creator Owner Server
S-1-3-3     
             Creator Group Server
S-1-3-4     
             Owner Rights

S-1-4       
             Non-unique Authority

S-1-5       
             NT Authority
S-1-5-1     
             Dialup
S-1-5-2     
             Network
S-1-5-3      
            Batch
S-1-5-4      
            Interactive
S-1-5-5-X-Y   
           Logon Session
S-1-5-6     
             Service
S-1-5-7     
             Anonymous
S-1-5-8   
              Proxy
S-1-5-9       
           Enterprise Domain Controllers
S-1-5-10   
              Principal Self
S-1-5-11
                 Authenticated Users
S-1-5-12                
Restricted Code
S-1-5-13                
Terminal Server Users
S-1-5-14                
Remote Interactive Logon
S-1-5-15                
This Organization
S-1-5-17                
This Organization
S-1-5-18                
Local System
S-1-5-19                
NT Authority
S-1-5-20                
NT Authority

S-1-5-21-domain-500     
Administrator
S-1-5-21-domain-501     
Guest
S-1-5-21-domain-502     
KRBTGT
S-1-5-21-domain-512     
Domain Admins
S-1-5-21-domain-513     
Domain Users
S-1-5-21-domain-514     
Domain Guests
S-1-5-21-domain-515     
Domain Computers
S-1-5-21-domain-516     
Domain Controllers
S-1-5-21-domain-517     
Cert Publishers
S-1-5-21-rootdomain-518 
Schema Admins
S-1-5-21-rootdomain-519 
Enterprise Admins
S-1-5-21-domain-520     
Group Policy Creator Owners
S-1-5-21-domain-553     
RAS and IAS Servers

S-1-5-32-544            
Administrators
S-1-5-32-545            
Users
S-1-5-32-546            
Guests
S-1-5-32-547            
Power Users
S-1-5-32-548            
Account Operators
S-1-5-32-549            
Server Operators
S-1-5-32-550            
Print Operators
S-1-5-32-551            
Backup Operators
S-1-5-32-552            
Replicators

S-1-5-64-10      
        NTLM Authentication
S-1-5-64-14      
        SChannel Authentication
S-1-5-64-21      
        Digest Authentication

S-1-5-80      
           NT Service
S-1-5-80-0     
          All Services
S-1-5-80-0      
         NT SERVICES \ ALL SERVICES

S-1-5-83-0      
         NT VIRTUAL MACHINE \ Virtual Machines

S-1-16-0      
           Untrusted Mandatory Level
S-1-16-4096   
          Low Mandatory Level
S-1-16-8192     
         Medium Mandatory Level
S-1-16-8448      
        Medium Plus Mandatory Level
S-1-16-12288      
       High Mandatory Level
S-1-16-16384      
       System Mandatory Level
S-1-16-20480
       
      Protected Process Mandatory Level
S-1-16-28672
      
       Secure Process Mandatory Level

In the next three sections that follows:
 
  • Rember that the "operations master" is also known as
    the flexible single master operations (FSMO).
     
  • The groups that are listed appear as SIDs until the respective Windows Server domain controller is made the primary domain controller (PDC) operations master role holder.
     
  • The additional built-in groups that are listed are created when the respective Windows Server domain controller is added to the domain.


Windows Server 2003
                                                                                                                                  

S-1-5-32-554             BUILTIN \ Pre-Windows 2000 Compatible Access
S-1-5-32-555             BUILTIN \ Remote Desktop Users
S-1-5-32-556            
BUILTIN \ Network Configuration Operators
S-1-5-32-557            
BUILTIN \ Incoming Forest Trust Builders
S-1-5-32-558            
BUILTIN \ Performance Monitor Users
S-1-5-32-559            
BUILTIN \ Performance Log Users
S-1-5-32-560            
BUILTIN \ Windows Authorization Access Group
S-1-5-32-561            
BUILTIN \ Terminal Server License Servers
S-1-5-32-562            
BUILTIN \ Distributed COM Users  


Windows Server 2008 (or R2)
                                                                                                                                  

S-1-5-21-rootdomain-498  Enterprise Read-only Domain Controllers 
S-1-5-21-domain-521      Read-only Domain Controllers
S-1-5-21-domain-571      Allowed RODC Password Replication Group
S-1-5-21-domain-572     
Denied RODC Password Replication Group

S-1-5-32-568             BUILTIN \ IIS_IUSRS
S-1-5-32-569            
BUILTIN \ Cryptographic Operators
S-1-5-32-573            
BUILTIN \ Event Log Readers
S-1-5-32-574            
BUILTIN \ Certificate Service DCOM Access


Windows Server 2012
                                                                                                                                  

S-1-5-21-0-0-0-496       COMPOUNDED_AUTHENTICATION
S-1-5-21-0-0-0-497      
CLAIMS_VALID
S-1-5-21-domain-522     
Cloneable Domain Controllers
S-1-5-21-domain-525     
PROTECTED_USERS

S-1-5-32-575            
BUILTIN \ RDS Remote Access Servers
S-1-5-32-576            
BUILTIN \ RDS Endpoint Servers
S-1-5-32-577            
BUILTIN \ RDS Management Servers
S-1-5-32-578            
BUILTIN \ Hyper-V Administrators
S-1-5-32-579            
BUILTIN \ Access Control Assistance Operators
S-1-5-32-580            
BUILTIN \ Remote Management Users

S-1-5-33                
WRITE_RESTRICTED_CODE
S-1-5-65-1              
THIS_ORGANIZATION_CERTIFICATE
S-1-5-84-0-0-0-0-0      
USER_MODE_DRIVERS
S-1-5-113               
LOCAL_ACCOUNT
S-1-5-114               
LOCAL_ACC_AND_MEMBER_OF_ADMIN_GRP
S-1-5-1000               
OTHER_ORGANIZATION

S-1-15-2-1               ALL_APP_PACKAGES

S-1-18-1                
AUTH_AUTH_ASSERTED_IDENTITY
S-1-18-2                
SERVICE_ASSERTED_IDENTITY