Security Identifier (SID) is a unique, immutable identifier of a user account, user group, or other security principal in the

Windows NT family Windows NT is a proprietary graphical operating system produced by Microsoft as part of its Windows product line, the first version of which, Windows NT 3.1, was released on July 27, 1993. Originally made for the workstation, office, and ser ...

of operating systems. A security principal has a single SID for life (in a given

Windows domain A Windows domain is a form of a computer network in which all user accounts, computers, printers and other security principals, are registered with a central database located on one or more clusters of central computers known as domain controlle ...

), and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed (for example, from "Jane Smith" to "Jane Jones") without affecting the security attributes of objects that refer to the principal.

Overview

Windows grants privileges and access to resources based on

access control list In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object or facility). An ACL specifies which users or system processes are granted access to resources, as well as what operations are ...

s (ACLs). Each entry on the list defines one SID and a set of permissions for that SID. When a user logs into a PC, Windows generates an access token that contains the user SID, the group SIDs to which the user account belongs, and the user privilege level. When a user requests access to a resource, its ACL is checked against the user's access token to permit or deny particular action on a particular object.

Structure

The human-readable representation of a SID is a string that starts with "S-" and consists of several dash-separated numbers. For example, "S-1-5-21-3623811015-3361044348-30300820-1013" could be a user account's SID. The following table explains the components of this example SID. Originally, SIDs were supposed to allow arbitrarily deep nesting, with each level allowed to create sub-authorities underneath itself. However, that goal was abandoned early in Windows NT development, when it was decided that it would be too unmanageable in practice; by then, however, the SID format had already been finalized and was in heavy use in the Windows code.

Identifier authority

Identifier authorities are formally defined as six-byte (48-bit) quantities. The identifier authority is expressed in decimal if its value is less than 2³², otherwise in hexadecimal. However, while this is the behavior formally defined by Microsoft, and implemented by the relevant Windows APIs (e.g. RtlConvertSidToUnicodeString), hexadecimal identifier authorities appear to have never been used in practice. All known values fit in the least significant byte, and the other 5 bytes are always zero. Identifier authorities are stored in

big-endian '' Jonathan_Swift.html" ;"title="Gulliver's Travels'' by Jonathan Swift">Gulliver's Travels'' by Jonathan Swift, the novel from which the term was coined In computing, endianness is the order in which bytes within a word (data type), word of d ...

format, even on little-endian CPU architectures.

Subauthority

Domain SIDs

SIDs that start with "S-1-5-21" are noticeably longer than most other SIDs (with the notable exception of service SIDs). Their general format is: S-1-5-21--, where is in the form of <32-bit>-<32-bit>-<32-bit>. The Domain ID uniquely identifies a

. The RID specifies a principal (user account, group account, or computer account) within that domain. If the RID portion is greater than 1000, the resulting SID pertains an admin-defined user account, user group, or computer account, e.g., S-1-5-21-3361044348-303008203623811015-1001. The name of this account could be anything, e.g., Domain.local\JaneDoe. If the RID portion is smaller than 1000, the resulting SID pertains a predefined (built-in) user account or user group. For example, RID 500 identifies the controversial "Administrator" user account while RID 512 pertains the "Domain Admins" group.

Machine SIDs

Machine SIDs are variety of domain SIDs (S-1-5-21) with a 96-bit domain ID (a machine is considered its own local domain) but no RID. Their general format is: S-1-5-21-, where is in the form of <32-bit>-<32-bit>-<32-bit>. The machine SID is stored in the SECURITY hive of the

Windows Registry The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, a ...

, more specifically at HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account. This key has two values: F and V. The latter is a raw binary value that has the machine SID embedded within it at the end of its data (last 96 bits). (Some sources state that it is stored in the SAM hive instead.) The machine SID is stored in a raw-bytes form in the registry. To convert it into the more common numeric form, one interprets it as three,

little endian '' Jonathan_Swift.html" ;"title="Gulliver's Travels'' by Jonathan Swift">Gulliver's Travels'' by Jonathan Swift, the novel from which the term was coined In computing, endianness is the order in which bytes within a word (data type), word of d ...

, 32-bit integers, converts them to decimal, and add hyphens between them.

Service SIDs

Service SIDs are a feature of

service isolation Service may refer to: Activities * Administrative service, a required part of the workload of university faculty * Civil service, the body of employees of a government * Community service, volunteer service for the benefit of a community or a ...

, introduced in

Windows Vista Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, released five years earlier, which was then the longest time span between successive releases of Microsoft W ...

and

Windows Server 2008 Windows Server 2008, codenamed "Longhorn Server" (alternatives: "Windows Vista Server" or "Windows Server Vista"), is the seventh major version of the Windows NT operating system produced by Microsoft to be released under the Windows Server b ...

. Any service with the "unrestricted" SID-type property will have a service-specific SID added to the access token of the service host process, allowing permissions for a single service to be managed without necessitating the creation of service accounts. Each service SID is a local, machine-level SID that has the general form of S-1-5-80-. To generate , Windows copies the service name (in

UTF-16 UTF-16 (16-bit Unicode Transformation Format) is a character encoding that supports all 1,112,064 valid code points of Unicode. The encoding is variable-length as code points are encoded with one or two ''code units''. UTF-16 arose from an earli ...

encoding), converts all characters to uppercase, and calculates the

SHA-1 In cryptography, SHA-1 (Secure Hash Algorithm 1) is a hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecimal digits. It was designed by the United States ...

digest of said uppercase name. This digest becomes the . The sc.exe

command Command may refer to: Computing * Command (computing), a statement in a computer language * command (Unix), a Unix command * COMMAND.COM, the default operating system shell and command-line interpreter for DOS * Command key, a modifier key on A ...

can be used to generate this special SID value; for example, given the "dnscache" service: C:\>sc query NAME: dnscache SERVICE SID: S-1-5-80-859482183-879914841-863379149-1145462774-2388618682 Therefore, the "dnscache" service can be referred to as either NT SERVICE\dnscache or S-1-5-80-859482183-879914841-863379149-1145462774-2388618682. Since a Service SID is determined exclusively by the service name, the value of the SID for a given service is always the same across all machines wherever the service runs.

Duplicated SIDs

A common method of mass-producing Windows PCs is to install Windows on a template machine, and duplicate its disk sector by sector to other identical machines. As a result, these mass-produced machines are identical in every respect, including their SIDs. Microsoft engineer

Mark Russinovich Mark Eugene Russinovich (born December 22, 1966) is a Spanish-born American software engineer and author who serves as CTO of Microsoft Azure. He was a cofounder of software producers Winternals before Microsoft acquired it in 2006. Early lif ...

is the creator of a

utility In economics, utility is a measure of a certain person's satisfaction from a certain state of the world. Over time, the term has been used with at least two meanings. * In a normative context, utility refers to a goal or objective that we wish ...

called NewSID, the purpose of which is to solve "The SID Duplication Problem." Microsoft has retired the utility on November 2, 2009, because, Mark and the Windows security team have concluded that duplicate SIDs do not pose any problem whatsoever.

Footnotes

References

External links

* Official
ObjectSID and Active Directory
*
Microsoft TechNet: Server 2003: Security Identifiers Technical Reference
*
MSKB154599: How to Associate a Username with a Security Identifier
*
MSKB243330: Well-known security identifiers in Windows operating systems
*
Support tools for Windows Server 2003 and Windows XP
*
Security Identifiers - Windows Security docs
* Other

*

{{Authority control Identifiers Microsoft Windows security technology Unique identifiers Windows NT architecture