安全标识符

维基百科,自由的百科全书
跳到导航 跳到搜索

安全标识符 (Security Identifier,SID)是Windows操作系统使用的独一无二的,不变的标识符用于标识用户、用户群、或其他安全主体英语security principal.

安全标识符一经产生,不会与全世界任何的安全标识符重复;也不随用户更名而变化。如果删除了用户帐户,然后再创建同名帐户,则产生的安全标识符是不同的。

用户SID格式[编辑]

SID格式可用下例解释: "S-1-5-21-3623811015-3361044348-30300820-1013"

S 1 5 21-3623811015-3361044348-30300820 1013
The string is a SID. The revision level (the version of the SID specification). The identifier authority value. Domain or local computer identifier Relative ID英语Relative ID (RID). 任何用户或用户群不是默认创建,RID将大于等于1000.

Identifier Authority Values[编辑]

可能的值:

Decimal Name Display Name First Introduced References Notes
0 Null Authority e.g. "Nobody"
1 World Authority (not shown) e.g. well known groups such as "Everyone".
2 Local Authority (not shown) e.g. flag SIDs like "CONSOLE LOGON"
3 Creator Authority
4 Non-unique Authority
5 NT Authority NT AUTHORITY\ Managed by the NT security subsystem. There are many sub-authorities such as "BUILTIN" and every Active Directory Windows域英语Windows domain
9 Resource Manager Authority Windows Server 2003 [1][2]
11 Microsoft Account Authority MicrosoftAccount\ Windows 8[來源請求]
16 Mandatory Label\ Windows Vista Used as part of Mandatory Integrity Control英语Mandatory Integrity Control

机器SID格式[编辑]

The machine SID is stored in the SECURITY registry hive located at SECURITY\SAM\Domains\Account, this key has two values F and V. The V value is a binary value that has the computer SID embedded within it at the end of its data (last 96 bits).[3]

  • "NewSID ensures that this SID is in a standard NT 4.0 format (3 32-bit subauthorities preceded by three 32-bit authority fields). Next, NewSID generates a new random SID for the computer. NewSID's generation takes great pains to create a truly random 96-bit value, which replaces the 96-bits of the 3 subauthority values that make up a computer SID."
    • From NewSID readme.


The SID number is used in file, registry, service and users permissions. The machine SID is determined in hexadecimal form from here:

  • regedit.exe: \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\V (last 12 bytes)
  • explorer.exe: \%windir%\system32\config\SAM

If the SAM file is missing at startup, a backup is retrieved in hexadecimal form here:

  • regedit.exe: \HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAcDmS\@ (last 12 bytes)
  • explorer.exe: \%windir%\system32\config\SECURITY

Sometimes the SID number is referenced in decimal form. [4]

Example
2E,43,AC,40,C0,85,38,5D,07,E5,3B,2B
1) Divide the bytes into 3 sections:
2E,43,AC,40 - C0,85,38,5D - 07,E5,3B,2B
2) Reverse the order of bytes in each section:
40,AC,43,2E - 5D,38,85,C0 - 2B,3B,E5,07
3) Convert each section into decimal:
1085031214 - 1563985344 - 725345543
4) Add the machine SID prefix:
S-1-5-21-1085031214-1563985344-725345543


系统服务的SID格式[编辑]

Service SIDs are a feature of service isolation, a security feature introduced in Windows Vista and Windows Server 2008.[5] Any service with the "unrestricted" SID-type property will have a service-specific SID added to the access token of the service host process.

The purpose of Service SIDs is to allow permissions for a single service to be managed without necessitating the creation of service accounts, an administrative overhead.

Each service SID is a local, machine-level SID generated from the service name using the following formula:

S-1-5-80-{SHA-1(service name in upper case)}

The sc.exe utility can be used to generate an arbitrary service SID:

sc.exe showsid dnscache

NAME: dnscache SERVICE SID: S-1-5-80-859482183-879914841-863379149-1145462774-2388618682 STATUS: Active

The service can also be referred to as NT SERVICE\<service_name> (e.g. "NT SERVICE\dnscache").


参考文献[编辑]

外部链接[编辑]