Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up




SID Stalking: Cloning Windows NT

The big problem, according to Microsoft, is that identical SIDs can compromise standalone (workgroup) workstation security. For example, if Leo has a workstation ID of 32768 and we duplicate his brand-new workstation to ours, then our workstation ID would also be 32768. If we then both create users, "Jonathan" and "Leo," they would start with the same relative ID and concatenate the supposedly unique workstation SID to it. So, they would have the same fully qualified numerical identifier, 32768-1001, which would mean that we could read Leo's files after connecting to his machine (and vice versa).

In practice, this does not happen in an enterprise network; other mechanisms, such as domain authentication or NDS authentication, are at work, since workgroup-based NT can be an administrative hassle for large numbers of users and workstations. When using an NT domain, the SID of the domain (rather than the workstation) is used as the prefix for a fully qualified numerical user ID, so each user ID is guaranteed to be unique.

Although various services have the machine SID encoded in their registry, experience has shown that a duplicate SID makes no difference in the day-to-day operation of a given group of workstations. Nonetheless, because Microsoft says that duplicate machine SIDs are a bad idea, it's best to use SID generator tools to correct this problem.

A SID generator runs through the machine's local registry doing what amounts to a huge search-and-replace operation on the various binary and textual machine SID entries it finds. This makes it possible for Micro House's ImageCast to assign a SID while it duplicates a hard-drive image and modifies the registry files. However, this forces you to initiate a duplication operation to generate a SID for a workstation.

Symantec's Ghost Walker was created specifically to address the problem of identical SIDs on existing workstations. From a DOS boot disk, it will find a hard drive's NT partition and modify its registry on the fly. In many instances, this works fine.

Both Systems Internals' NewSID and KeyLabs' SIDgen can also assign SIDs to workstations, but because they're NT (rather than DOS) programs and can talk to the network, they offer additional features. A given NT domain has one SID (the primary and backup domain controller SIDs are identical). In order to move a backup controller to a different domain, both of these utilities will let you synchronize a backup domain controller's SID to a different domain.

Although SID generators have worked well, some folks remain skeptical. Even if you have the luxury of swapping hundreds or thousands of hours of labor for insurance against the unknowable, consider the precedent.

NT drive duplication without SID generation was occurring for the better part of a year before Microsoft issued the Knowledge Base article. All of a sudden, network managers found themselves with a documented problem, to which the industry quickly responded with SID changers. It's likely the same thing would happen if many users were affected by any other consequence of drive duplication that Microsoft hasn't yet revealed.

Another scary Microsoft claim is that its install software's interrogation routines are the only way to ensure that driver software matches up with a machine's particular BIOS, chipset and so on. The implication is that people who roll out hardware might not know to match up a batch of like machines to the same image, and risk intermittent or bizarre problems. Experience shows that this doesn't happen unless there's a nut loose behind the dupe software.


Other Workshops
Network Address Translation: Hiding in Plan Sight
By Mike Fratto


Print This Page


e-mail E-mail this URL

Research and Reports

Hypervisor Derby
August 2011

Network Computing: August 2011

TechWeb Careers