• Archives

  • Follow me on Twitter

  • « | Home | »

    Killing The Myth: The Machine SID Duplication


    sysprep The most popular posts on this blog are those about Security Identifier (SID). Users are interested in how to change SID using NewSID (which is, by the way, not supported anymore), how to check SID using PsGetSID and how to change SID using Sysprep. Mark Russinovich, Technical Fellow at Microsoft (founder of Sysinternals and author of the NewSID), described why he thought having two computers with the same SID could be a problem:

    A machine SID is a unique identifier generated by Windows Setup that Windows uses as the basis for the SIDs for administrator-defined local accounts and groups. After a user logs on to a system, they are represented by their account and group SIDs with respect to object authorization (permissions checks). If two machines have the same machine SID, then accounts or groups on those systems might have the same SID. It’s therefore obvious that having multiple computers with the same machine SID on a network poses a security risk, right?

    Then, in quite a long post, The Machine SID Duplication Myth, he described why having two same SIDs is actually not a security risk. I won’t copy-paste whole post, but here is the bottom line:

    It’s a little surprising that the SID duplication issue has gone unquestioned for so long, but everyone has assumed that someone else knew exactly why it was a problem. To my chagrin, NewSID has never really done anything useful and there’s no reason to miss it now that it’s retired. Microsoft’s official policy on SID duplication will also now change and look for Sysprep to be updated in the future to skip SID generation.

    So, there is no need to change SIDs anymore. Good news.




    • Nospam

      BS. Mark had to drink the Microsoft cool-aid. Dupliocate SIDs are a problem for both the OS, security as well as third party applications which assume and require unique macine SIDs. What really happened is that some sensitive Microsoft dev people forced Mark to issue a retraction. They don’t after all like to have their sensitive development egos inconvenienced in any way…

    • Zdravke

      Agreed! This is the most surprising statement I came across for a long time. Just try to add a Windows machine to a domain with sid duplicated to one already in a domain, and it would not work! It’s so easy to verify in so many different ways!

    • Jazzy_j

      Exchange 2010 SP1 breaks completely if your Doamin controller and Exchange server had the same SID, so I’m affraid Mark is completely mistaken on this one…

    • http://rogerrelevant.wordpress.com/2014/01/08/yes-you-do-need-to-worry-about-sids-when-you-clone-virtual-machines-reasserting-the-myth/ Yes you do need to worry about SIDs when you clone virtual machines – reasserting the ‘myth’ | Roger Relevant

      […] find out that (near the top of Google’s results) was an article (also referred to here and here) written by seriously clever (Microsoft-associated) people telling me that it was no longer […]

    blog comments powered by Disqus