Repeated computer account SID rumors

This is a document just written by Mark, mainly to inform everyone that the duplicate computer account SID does not cause any problems in the domain or in the working group status. The newsid that everyone has been using over the years is actually useless.
This article was translated to make it easier for everyone and to improve their translation capabilities. If you are not interested, read the English version.
--- Not gorgeous start line ---
Sysinternals removes the newsid tool. This tool can be used to modify the host SID of a computer. In 1997, newsid was developed and called ntsid. The reason for development is very simple. At that time, only the Microsoft syspre tool could modify the host SID, but it does not support modifying the computer where the application is already installed. Host SID is the unique identifier created during Windows installation. Windows uses it as the SID basis for the local account and group defined by the Administrator. After a user logs on to the system, the user uses the account and group SID for object authorization (permission check ). If the two hosts have the same SID, the user or group on the two systems may have the same SID. It can be inferred that multiple computers with the same host SID in the same network are a security threat, right?
The reason for hiding NewSID is that although many people claim that NewSID can run successfully on Vista and windows server2008, Mark does not perform a comprehensive test, some people claim that some Windows components fail to run after using NewSID. So when Mark re-examines these situations, he decided to find out what problems the duplicate SID would cause, although most people thought it would be a problem. As he went deeper, he became more and more aware that duplicate host SID would not actually cause any problems. With this conclusion, he went to Windows security and deployment teams to ask, and there was no such scene to prove that in the domain or workgroup environment, two systems with the same host SID will not cause any problems. So hiding NewSID becomes a thing of sailing.
However, most people are surprised by this result. In particular, modifying the SID of an image system is a basic principle since Windows NT. So next we will reveal the truth. From the description of the host SID, to how to use the SID for Windows in the market, and Windows, the local SID is never exposed to the outside to prove that the system with the same host SID has no problem.
SID
Windows uses SID to indicate all security objects (Security principals). Security objects include hosts, domain computer accounts, users, and security groups. The Name is a method used to represent SID. You can change the Name without updating the ACL (access control list ). SID is a string of numeric code that contains the schema version number, a 48-bit ID authoritative value, a 32-bit sub-full position or the RID value. The Authority value identifies the issued SID proxy, which is generally a windows Local system or domain. The sub-authority value recognition issues authoritative delegates, and the RID is a common SID used by Windows to create a unique SID.
You can use Sysinternals PsGetSid to view the host SID. You can download version 1.43. mark uses 1.44.

The version number is 1, the authoritative value is 5, followed by four sub-authoritative values. In the design of Windwos NT, the host SID may be used as the network, so to ensure its uniqueness, during installation, SID has a fixed subauthority value 21 and three randomly generated subauthority values. So usually you will see the fixed value of S-1-5-21.
Before creating the first account, Windows has defined several built-in users and groups, including the Administrator and Guset accounts. Unlike the method for generating random sid, to ensure their uniqueness, windows directly adds a unique value for each account after the host SID, also known as the RID (associated ID ). The RID of the initial account is preset. For example, the RID of the administrator account is 500.

After the installation is complete, the SID assigned to the new local user and group by Windows will be distributed from 1000.



In addition to these dynamically created SID, windows also defines some accounts that only use a fixed SID. For example, in the everyone group, the Local System account


The machine that is added to the domain also has a computer domain SID based on the domain SID. Query the sid of the test.com domain and the sid of two machines in the domain

Fulltest is a computer account created manually, while test02 is an actual machine from the dc image clone. You can note that there is actually no difference. Adding a domain is just as successful. In fact, the Domain SID is repeated when there is a problem.

SIDs and Access Control Lists

After the account logs on to the Windows system, the Local Security Authority Subsystem (LSASS -Llsass.exe) creates a login process and a ticket for the process. A bill is represented by the data architecture defined by the windows Kernel. It contains the account SID and the group SID when the account is logged on, and grant the account security permissions to the corresponding group. When the last ticket of a logon process is deleted, LSASS will delete the logon process, and the user will be logged off.
Run Sysinternals LogonSessions to view the details.

And view the logon ticket.

And view the corresponding permissions.

When a program wants to open system objects, such as files and registries, the security subsystem performs a permission check to compare the entries in the object ACL with the SID contained in the program ticket.


The remote logon process performs similar checks, such as sharing access to a remote computer. To successfully connect to a shared instance, you must use an account known to the remote system to verify the instance. That is to say, if the remote computer is a working group machine, the credential entered by the user must be the local account of the remote system, the Credential can be a local account or domain account of the remote system. When a user accesses a shared file, the file server driver on the remote system uses the ticket in the logon process to check the permission. This method is calledImpersonation.

Duplicate SID to create a Windows installation to deploy a group of computers. The method supported by Microsoft is to install Windows on a reference computer and then use the sysprep tool to prepare for cloning. That is, to generate an image. After the user starts the created image, the Sysprep tool creates a new host SID during the installation process, removes the plug-and-play device detection, and resets the product activation clock, modify other configuration information, such as the new computer name.
However, some IT administrators install and configure applications on Windows. When using the deployment tool, they do not reset the SID of those clone systems (which is troublesome and error-prone ). So now the best practice is to adapt to the SID reset tool, such as NEWSID to reset the SID. These tools generate a new host SID, locate all locations on the system that contain the host SID copy, including the file system and registry ACL, and then update them to the new SID. Microsoft does not support this system modification because these tools do not necessarily know all the locations of Windows hiding host sid. The security and reliability of a system that combines the old and new host SID cannot be guaranteed.
So is it a problem if multiple computers use the same host SID? The only solution to this problem is that Windows uses the host SID to compare it with other computers. For example, when a user connects to a remote host, the SID of the local host needs to be transferred to the remote host and used in the county check. This makes repeated SID a security issue. Because the remote host cannot identify the inbound Remote Account with the same SID and the Local Account (the same SID includes the same host SID and the same RID ). However, Windows only allows users to use the account information only known to the local computer for verification on the remote computer. You must use a local account on the remote host or a domain user trusted by the remote host for verification. The remote host obtains the SID of the local account from the local SAM or the domain account from the Active Directory of the DC. The remote computer never verifies the SID of the connected computer.
That is to say, SID is not the eternal door to the computer, but the username and password of the account. Knowing the account SID on a remote computer cannot access the remote computer and its resources. There is also some other evidence. Remember the built-in account, for example, the local system account has the same SID on all computers, this is a security issue.
However, the exception is DC. Each domain has a unique domain SID, which is the host sid of the first domain controller, and all the DC host SID are consistent with the domain sid.

Sometimes, other computers verify the DC host SID. That is to say, the computer in the domain cannot have the same host SID as the dc and the domain. Like all member computers, each DC has a computer account in the domain, which is the ID they use for remote host verification. All the accounts in the domain, including computers, users, and security groups, use the domain SID, while the local account SID is based on the host SID, there is no connection between the two.
For documents with duplicate SID values, including KB article, multiple computers are warned that resources on removable storage are not safe for local accounts if the same SID is used. But one thing they forgot to mention is that permissions on mobile storage are not secure. Because users can insert them on any computer without the NTFS permission. Mobile storage tends to grant access permissions to known SID. For example, all computers have an Administrator group with the same SID. This is the basic principle of physical security and also the reason why Bitlocker-to-go is promoted in Windows 7. Bitlocker-to-go can encrypt mobile storage.
The last problem is that a distribution application uses the host SID to identify the computer. Is there a problem with the duplicate SID? Non-Microsoft software cannot use host SID for verification. Because all DC servers have the same host SID. The software based on the unique computer ID should use either the computer name or the computer domain SID.

New Best Practices

As a result, the problem of repeated SID disappears. This is another typical story. I thought you thought he thought I knew you knew that I knew that you knew the loop rumors. Therefore, NewSID has never done anything meaningful, and it is necessary to miss this tool again. Microsoft's repeated SID policy will also be modified. In the future, Sysprep will upgrade and skip the part generated by SID. Note that Sysprep resets the specified statuses of computers that may cause problems if they are repeated, such as WSUS errors caused by the same SID. Therefore, the policy supported by Microsoft still requires the image system to be reset to a unique one using Sysprep.

---- The final flower line ---
It took three hours to complete the translation. Although there may be some computer name errors in it, you should understand the general meaning. The other is that we should not just clarify whether the problem has been fixed. You must have such a mentality that nothing is always correct and you can understand it only by jumping out of a certain mindset.