« How Do I: Backup Hyper-V with Windows Server Backup? | Home | Free Windows Server 2008 R2 Advanced Training Content »
Killing The Myth: The Machine SID Duplication
The most popular posts on this blog are those about Security Identifier (SID). Users are interested in how to change SID using NewSID (which is, by the way, not supported anymore), how to check SID using PsGetSID and how to change SID using Sysprep. Mark Russinovich, Technical Fellow at Microsoft (founder of Sysinternals and author of the NewSID), described why he thought having two computers with the same SID could be a problem:
A machine SID is a unique identifier generated by Windows Setup that Windows uses as the basis for the SIDs for administrator-defined local accounts and groups. After a user logs on to a system, they are represented by their account and group SIDs with respect to object authorization (permissions checks). If two machines have the same machine SID, then accounts or groups on those systems might have the same SID. It’s therefore obvious that having multiple computers with the same machine SID on a network poses a security risk, right?
Then, in quite a long post, The Machine SID Duplication Myth, he described why having two same SIDs is actually not a security risk. I won’t copy-paste whole post, but here is the bottom line:
It’s a little surprising that the SID duplication issue has gone unquestioned for so long, but everyone has assumed that someone else knew exactly why it was a problem. To my chagrin, NewSID has never really done anything useful and there’s no reason to miss it now that it’s retired. Microsoft’s official policy on SID duplication will also now change and look for Sysprep to be updated in the future to skip SID generation.
So, there is no need to change SIDs anymore. Good news.
Related
By Ilija Brajkovic | December 1, 2009
Tags: newsid, SID, sysprep, windows, windows server, windows server 2008, windows7
Category: windows server 2008 | View Comments
Subscribe to RSS feed
-
Nospam
-
Zdravke
-
Jazzy_j