Windows Security — SID (Security Identifier)

The goal of an SID is to uniquely identify a security principal/group. When talking about a security principal we mean any entity that can authenticate to the operating system like: user/computer account or a thread/process that runs with the security context of one of those. Every time a user is logged on the system creates an access token for that user (more on that in a future writeup). This access token holds the user’s SID, privileges and the SIDs for any groups that the user is part of (https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers).

Moreover, there is a specific format for an SID. We can split it into three main parts: revision, identifier authority and sub authorities. Revision, which specifies the version of the SID structure. Identifier authority, which specifies the highest level of authority that can issue an SID for a security principal. Sub authorities, which hold the most important information (can identify a local computer/domain) and its last part is an RID (relative identifier) that identifies a specific user/group in a local computer/domain — as shown in the diagram below (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-azod/ecc7dfba-77e1-4e03-ab99-114b349c7164).

An example of some well-known SIDs are: “S-1–1–0” (group that includes all users), “S-1–0–0” (aka NULL SID, a group with no members). They are called “Universal well-known SIDs” (https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids). Also, there are well-known RIDs such as: 500 (Administrator), 501 (Guest). Since Windows 2008/Vista most of the system files are owned by the “TrustedInstaller” SID, in order to prevent a process running with Administrator/Local System permissions to overwrite the OS files (https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers).

Lastly, there are also “Capability SIDs” which grant access to specific resources (like cameras, documents, location and more). Those type of SIDs that the system is aware of are stored in the registry value “AllCachedCapabilities” under “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses” (https://renenyffenegger.ch/notes/Windows/security/SID/index).

See you next time ;-) You can also follow me on twitter — @boutnaru (https://twitter.com/boutnaru).