SID (Security Identifier)

From Bauman National Library
This page was last modified on 18 June 2016, at 15:02.
SID (Security Identifier)
fraimed
Developer(s) Microsoft Windows
Repository {{#property:P1324}}
Written in C++
Operating system Windows
Type Security Identifier
Website Official

Security identifier (SID) — a unique option of variable length, which determines the account and stored in the Windows NT security information. At the beginning of each session, once the user is identified in the system, its SID is extracted from the database and placed in the token [1] Further, this value is used by the operating system for all user actions with the protected objects.

Use Identifiers protection

Windows security uses SIDs in the following security elements:

  1. In security descriptors to identify the owner of an object and primary group [2]
  2. In access control entries, to identify the trustee for whom access is allowed, denied, or audited[3]
  3. In access tokens, to identify the user and the groups to which the user belongs[4]

Types of security identifiers

  1. NULL - S-1-0-0 - SID group, which does not include users. Used only when the SID is unknown;
  2. World - S-1-1-0 - a group that includes all users;
  3. Local - S-1-2-0 - users with direct, physical access to the system;
  4. Creator Owner ID - S-1-3-0 - SID, which is replaced by the user SID that created the object. This SID is used for the inherited ACE.
  5. Creator Group ID - S-1-3-1 - the value of replacing the primary SID of the group to which the user belongs to, who created the object. This the SID, like the previous one, is used for the inherited ACE.

SID-Functions

If you do need to work with SIDs, do not manipulate them directly. Instead, use the following functions.

Function Description
AllocateAndInitializeSid
Allocates and initializes a SID with the specified number of subauthorities.
ConvertSidToStringSid
Converts a SID to a string format suitable for display, storage, or transport.
ConvertStringSidToSid
Converts a string-format SID to a valid, functional SID.
CopySid
Copies a source SID to a buffer.
EqualPrefixSid
Tests two SID prefix values for equality. A SID prefix is the entire SID except for the last subauthority value.
EqualSid
Tests two SIDs for equality. They must match exactly to be considered equal.
FreeSid
Frees a previously allocated SID by using the AllocateAndInitializeSid function.
GetLengthSid
Retrieves the length of a SID.
GetSidIdentifierAuthority
Retrieves a pointer to the identifier authority for a SID.
GetSidLengthRequired
Retrieves the size of the buffer required to store a SID with a specified number of subauthorities.
GetSidSubAuthority
Retrieves a pointer to a specified subauthority in a SID.
GetSidSubAuthorityCount
Retrieves the number of subauthorities in a SID.
InitializeSid
Initializes a SID structure.
IsValidSid
Tests the validity of a SID by verifying that the revision number is within a known range and that the number of subauthorities is less than the maximum.
LookupAccountName
Retrieves the SID that corresponds to a specified account name.
LookupAccountSid
Retrieves the account name that corresponds to a specified SID.

References

Cite error: Invalid <references> tag; parameter "group" is allowed only.

Use <references />, or <references group="..." />

Notes

  1. http://en.bmstu.wiki/Access_Token More information about the access token
  2. https://msdn.microsoft.com/en-us/library/windows/desktop/aa379563(v=vs.85).aspx More about security descriptors
  3. https://msdn.microsoft.com/en-us/library/windows/desktop/aa374868(v=vs.85).aspx Details on the application of access control entries
  4. https://msdn.microsoft.com/en-us/library/windows/desktop/aa374909(v=vs.85).aspx Read more about the application in the access token