+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
O/S Deployment Thread, NewSID has been retired in Technical; Mark Russinovich has written an interesting blog about SID duplication and how after discussion with the Windows security and deployment ...
  1. #1
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75

    NewSID has been retired

    Mark Russinovich has written an interesting blog about SID duplication and how after discussion with the Windows security and deployment teams no one could come up with a scenario where two systems with the same machine SID, whether in a Workgroup or a Domain, would cause an issue. It's an interesting read.

    Mark's Blog : The Machine SID Duplication Myth

  2. #2

    CHR1S's Avatar
    Join Date
    Feb 2006
    Location
    Birmingham
    Posts
    4,532
    Thank Post
    1,622
    Thanked 500 Times in 307 Posts
    Rep Power
    220
    I just skimmed the article so apologies if its been covered but I have had WSUS go mental because of duplicate SIDs and im sure something else did too but I cant remember.

  3. #3
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75
    Quote Originally Posted by CHR1S View Post
    I just skimmed the article so apologies if its been covered but I have had WSUS go mental because of duplicate SIDs and im sure something else did too but I cant remember.

    WSUS is affected by the WSUS ID in the registry not the system SID I've had the same problem.

    http://msmvps.com/blogs/athif/pages/66376.aspx

    I don't think I'll stop syspreping clients anyway it's just interesting from a security perspective and it's straight from the MS security team.
    Last edited by cookie_monster; 6th November 2009 at 04:07 PM.

  4. #4
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34
    It's worth reading through the comments. Several people make the point that although Windows may not rely on having unique machine SIDs, there is other software that does.

  5. #5
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,490
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    51
    Quote Originally Posted by cookie_monster View Post
    Mark Russinovich has written an interesting blog about SID duplication and how after discussion with the Windows security and deployment teams no one could come up with a scenario where two systems with the same machine SID, whether in a Workgroup or a Domain, would cause an issue. It's an interesting read.

    Mark's Blog : The Machine SID Duplication Myth
    I can... Classroom of 30 or so computers, all imaged without sysprep/newsid.... Means you can all access each other admin shares and have fun with the shutdown command...

  6. #6
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,986
    Thank Post
    269
    Thanked 52 Times in 46 Posts
    Blog Entries
    2
    Rep Power
    47
    Thanks for the info and followups. I'm sure there are problems on our new domain with duplicate SIDs. Machines baulk straight away.

  7. #7
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,579
    Thank Post
    368
    Thanked 269 Times in 221 Posts
    Rep Power
    101
    Interesting stuff about the difference between domainSID and machineSIDs never knew any of that before now, quite a good read, certainly appears plausable that you shouldn't need to be i think it needs ALOT more testing than what the microsoft security team can do themselves in order to write it off as being a "pointless task"

  8. #8
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34
    Quote Originally Posted by p858snake View Post
    I can... Classroom of 30 or so computers, all imaged without sysprep/newsid.... Means you can all access each other admin shares and have fun with the shutdown command...
    Surely that's because you're either logged on as a Domain Admin (and therefore have local Admin rights on all Domain joined machines) or are using a local account which exists on all PCs and has the same password.

  9. #9
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,490
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    51
    Quote Originally Posted by ajbritton View Post
    Surely that's because you're either logged on as a Domain Admin (and therefore have local Admin rights on all Domain joined machines) or are using a local account which exists on all PCs and has the same password.
    Nope SID magic, we were all using our own accounts and they were no where near domain admin accounts.

  10. #10
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75
    It's worth reading through the comments. Several people make the point that although Windows may not rely on having unique machine SIDs, there is other software that does.
    Absolutely, the article is refering to Windows security only I don't think you can rule out problems with third party software this is why I will continue to sysprep units.


    Quote Originally Posted by p858snake View Post
    I can... Classroom of 30 or so computers, all imaged without sysprep/newsid.... Means you can all access each other admin shares and have fun with the shutdown command...

    Only if you logon as the local admin or know the local admin password on each station this is because they will have the same SID. If you logon as a domain user which all users will in a domain it has no affect on security.

  11. #11
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75
    Quote Originally Posted by p858snake View Post
    Nope SID magic, we were all using our own accounts and they were no where near domain admin accounts.

    As all of the machines are identical each additional 'local' account created on each machine will have the same SID so Windows cannot tell them appart this means that identical local accounts will be able to access other clients (if they're admins). This does NOT affect domain accounts only local accounts, as your users shouldn't be logging on as local accounts it doesn't affect security. Also if the passwords are different on each client authentication to another client will fail.

  12. #12
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34
    Quote Originally Posted by cookie_monster View Post
    As all of the machines are identical each additional 'local' account created on each machine will have the same SID so Windows cannot tell them appart this means that identical local accounts will be able to access other clients (if they're admins).
    Not quite. Windows does not need to 'tell them apart' as such. A remote connection will be authenticated by username/password and as long as these match a local user account on the target PC then the connection will succeed. This is nothing to do with machine SIDs. The only time Windows would confuse two accounts based on matching machine SIDs would be in the instance where an ACL was created on a removable device and the device was connected to a second PC with the same machine SID. The second PC would see entries in the ACL as referring to local accounts rather than accounts on a different PC.
    Last edited by ajbritton; 9th November 2009 at 12:33 AM.

  13. #13
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75
    Quote Originally Posted by ajbritton View Post
    Not quite. Windows does not need to 'tell them apart' as such. A remote connection will be authenticated by username/password and as long as these match a local user account on the target PC then the connection will succeed. This is nothing to do with machine SIDs. The only time Windows would confuse two accounts based on matching machine SIDs would be in the instance where an ACL was created on a removable device and the device was connected to a second PC with the same machine SID. The second PC would see entries in the ACL as referring to local accounts rather than accounts on a different PC.

    A remote connection will not be authenticated by username and password it will be authenticated by "user account" SID and password, the username will be translated to a SID the username is for our benefit only (I correct myself that is only for domain accounts). As the user account SID and password will be identical on both machines Windows will not be able to differentiate. You are correct in what you say but the identical SIDs complicates the issue which is where the security problem arrises.


    This highlights your point about file security nicely.

    http://windowsitpro.com/article/arti...-same-sid.html
    Last edited by cookie_monster; 9th November 2009 at 08:58 AM.

  14. #14

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,897
    Thank Post
    3,421
    Thanked 1,081 Times in 997 Posts
    Rep Power
    369
    Quote Originally Posted by cookie_monster View Post
    A remote connection will not be authenticated by username and password it will be authenticated by "user account" SID and password, the username will be translated to a SID the username is for our benefit only. As the user account SID and password will be identical on both machines Windows will not be able to differentiate.
    Not sure if I am being daft here but if you have

    User A with SID 1234
    User B with SID 5678

    and 6 computers ( marked 1,2,3,4,5 and 6 ), Assuming Each user was allowed to do multiple logins at the same time and User A logged into computers 1,2 and 3

    User A has the same password on each login and the same username ( same username SID ) then how would it be able to differentiate between computers 1, 2 and 3 ?

    Same applies to User B reference explanation of User A

    Because although the same user is logged into 3 machines ( User A on 1, 2 and 3 and User B on 4,5 and 6 ) if it is using the Usernames SID and the login accounts password then how would it know any different, for all it knows its on the same computer because the username SID and the user accounts password would always be the same ?



    Im either missing the point completely and a planes gone over my head or something ?

  15. #15
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75
    Quote Originally Posted by mac_shinobi View Post
    Not sure if I am being daft here but if you have

    User A with SID 1234
    User B with SID 5678

    and 6 computers ( marked 1,2,3,4,5 and 6 ), Assuming Each user was allowed to do multiple logins at the same time and User A logged into computers 1,2 and 3

    User A has the same password on each login and the same username ( same username SID ) then how would it be able to differentiate between computers 1, 2 and 3 ?

    Same applies to User B reference explanation of User A

    Because although the same user is logged into 3 machines ( User A on 1, 2 and 3 and User B on 4,5 and 6 ) if it is using the Usernames SID and the login accounts password then how would it know any different, for all it knows its on the same computer because the username SID and the user accounts password would always be the same ?



    Im either missing the point completely and a planes gone over my head or something ?


    It gets worse because you could have different usernames on each PC but with the same SID so as ajbritton says you then have no security

    User A with SID 1234
    User B with SID 1234

    What are the problems with workstations having the same SID?

    Understanding Shared Account Password Management
    http://technet.microsoft.com/en-us/m...s.aspx?pr=blog
    Last edited by cookie_monster; 9th November 2009 at 08:39 AM.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. NewSID Retirement TODAY
    By fooby in forum O/S Deployment
    Replies: 8
    Last Post: 3rd November 2009, 03:48 PM
  2. [Fog] NewSid
    By TechSupp in forum O/S Deployment
    Replies: 16
    Last Post: 29th July 2009, 01:00 PM
  3. Net-restore is now retired, looks like for good!
    By HodgeHi in forum O/S Deployment
    Replies: 15
    Last Post: 19th November 2008, 10:26 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •