(Inspired by Mark Russinovic’s Blog entry “The Machine SID Duplication Myth”)
On the 3rd November 2009, Sysinternals retired ‘NewSID’, a utility that changes a computers machine Security Identifier (machine SID), but why?
What is a SID?
A Security Identifier (commonly abbreviated to SID) is a unique name (an alphanumeric character string) which is assigned by a Windows Domain controller during the log on process that is used to identify a subject, such as a user or a group of users in a network of NT/2000 systems.
How are duplicate SIDs created?
For those who are unfamiliar with the concept, when machines are cloned using imaged systems the new machine will contain the same SID as the original. If two machines have the same machine SID, then accounts or groups on those systems might have the same SID.
Common sense in de-duplication?
As most IT professionals who work with virtual technologies will attest, when creating virtual machines from templates, conventional wisdom dictates that the new machine’s SID must be changed as the clone retains a facsimile of the parent’s. However, Mark Russinovic (Microsoft Fellow, OS Guru and creator of ‘NewSID’)and Microsoft have delved deeper into this idea and concluded that changing the SID of machines that contain facsimile entries is unnecessary. This came to light when Mark was investigating bugs with NewSID in windows Vista, he realised that he could not conceive of a scenario where duplicate SIDs could cause a security risk / vulnerability. Mark took this concept to Microsoft’s Windows security and deployment teams and no one could come up with a scenario where two systems with the same machine SID, whether in a Workgroup or a Domain, would cause an issue – further investigation by Microsoft is yet to find such a risk. Food for thought next time you clone a machine.
To view the entire article, please see Mark’s blog:
http://blogs.technet.com/markrussinovich/archive/2009/11/03/3291024.aspx
No comments:
Post a Comment