2. Tech
  3. Universal SIDS for Windows 2000 (interesting to the wickhouse)

Universal SIDS for Windows 2000 (interesting to the wickhouse)

xiaoxiao2021-03-06  39

July 26, 2004

Universal SIDS for Windows 2000

Previously, I often feel inexplicable when studying the SID of Windows when I study the registry, and recently learned and learned, I finally understood his mystery. Now I will communicate with you. If you are not right, please ask the comrades to criticize. : D A important factor in Windows implementation security features is the user account and user group, which we certainly mainly use words that are easy to remember to mark users and group names, but inside the computer, the operating system uses unique identifiers to reference user accounts, Therefore, it is given a unique SID (Security IdentificalDescriptor) at each account, and even if we rebuild an account we have previously deleted, the account does not have the permissions and access permissions of the old account. Summary Time Janker Deletes the reason why the Administrator is rebuilt :) First SID format is: Srassss

S, means this is a SID

R- version number

A - Administration for identifying the distribution of the SID, such as 5 means NT / 2000

S-lower belongs, is a series of numbers, the only ID of the user

Such as: S-1-5-21-1085031214-492894223-1060284298-500

21-1085031214-492894223-1060284298 Upper belonging, unique identification field and working group

500 is represented as administrator.

Both the group and the universal group and the user label for each inner domain user and group, and in the following table

The SID of well-known users and groups is listed.

The following is a few more ways to log in, and Windows login mainly has two login methods, ie interactive and network login. In fact, there is a batch login method and service program to log in, but its specific fashion buddies have not been in depth. If there is a study, don't tell me, urgent ~~ :)

In the Windows startup process, the SMSS (SESSION Manager) process is the first user mode process created by the system, but he is a component trusted by the system. He called the Native API to start the Win32 sub-environment, initialize the registry, start the subsystem process (CSRSS) A series of initialization tasks such as the Logon process, see the registry key: HKLMSystemCurrentControlSet ControlSession Manager. The actual landing process is in the Logon process (WINLOGON) and related LSASS processes, SAM, Active Directory, and multiple validation packages (DLLs for authentication check).

Winlogon is a trust process. It is responsible for user interactions of relevant security certified. He must ensure that any other activity process is not visible, ensuring that any non-trust process cannot control the desktop when the Winlogon related process is executed. But the facts can write code to intercept the username and password,: Analysis of a Trojan "Angel" two days before d, the Trojan records each login username and password in the Angle.txt file, but unfortunately, it is too clear. (Failure), and load directly into the RUN bore of Register (it is a failure): D

Winlogon relysses the username and password entered by the Tiantian Authentication Interface (Gina), which typically calls WinntSystem32msgina.dll default, which produces a standard Windows Land Dialog box. So we can use different certification mechanisms with your own GINA. . . : D

By calling LSASS to verify the username and password entered by the user, it calls the previously mentioned verification package (DLL) to process the corresponding processing, if the default call userinit.exe is correct, complete the initialization of environment variables, run the login scripting and application After the task such as security strategy, run the default shell --- Explorer.exe. The process he generated inherits the token generated by LSASS for the user, which is the fundamental of Windows protection resources, implementing security features such as ACL. The brothers about the token will not be said, and there is a tool "whoami.exe" to view key information in your own token. OK first realized this, this is a little bit of skin shallowness, there is a place where you have a master point, especially the master LU0 (my teacher): D

There is also a description in the SID table, which is temporarily translated, limited level ... Leaning, Taulu, on your foot & $% # @ $%

SID name describes a group of S-1-0-0 Null. Frequently used in an unknown SID value S-1-1-0 Everyone contains groups of all users, even anonymous users and guests.s-1-2-0 local login to and system-physically connected terminal users S-1- 3-0 CREATOR OWNER Creating the user's SIDS-1-5-1 Dialup S-1-5-2 NetWork logged in by using Dial-numbered ways such as MODEM S-1-5-3 Batch Users who log in to log in to log in to the session for users S-1-5-5-Xy Logon Session logged in by interactively log in. Ensure that the only access to the session is different, X and Y are different for each login. S-1-5-6 Service Sign in User Account S-1-5-7 Anonymous Anonymous Log in User S-1-5-9 Enterprise Controllers contains all active directory domain controller computer groups. S-1 5-10 Principal Self (or self) Granting Permissions to Principal Selfmeans Granting Permissions To the Principal Reperesented by The Object.s-1-5-11 Authenticated Users Contains All Login Verification Through the user's group, the group does not contain anonymous and NULL accounts S-1-5-13 Terminal Server Uses Over Terminal Server Connection User Group S-1-5-18 Local System (System Account) is used by the system, this account buddy is like a rare? S-1-5-

-500 Administrator nonsense not to say S-1-5-

-501 guest users can log in to the specified resource in this as a user, but you can't make a permanent changes to your desktop. S-1-5-

-502 KRBTGT is used by Kerberos Key Distribution Center (KDC) service S-1-5-5-5-5-5-5-5-5-5-5-

-512 Domain admin, domain administrator group, domain global group, Window2000 automatically adds it to the Administrator domain local group so that the member can perform any computer management task in the domain. S-1-5-

-513 Domain Users contains a group of all domain users, and the domain global group S-1-5-

-514 Domain Guests domain Guests group, domain global group S-1-5-5-5-5-5-5-5-5-5-5

-515 Group of all computers in the domain computers, domain global group S-1-5-

-516 All domain controllers in the Domain Controllers are added to the group, and the domain global group S-1-5-517 CERT PUBLISHERS runs the Microsoft Certificate Services for the group member S-1-5-

-518 Schema admins This group member can modify the event directory plan S-1-5-

-519 Enterprise Admins This group of members have the right to control all domains of the Active Directory S-1-5-

-520 Group Policy Creators Owners Strategy Administrators Group S-1-5-

-553 RAS AND IAS Servers A local group representative RAS and Internet Authentication Services Server S-1-5-32-544 Administrators A built-in local group, default contains ADMINISTRATORS-1-5-32-545 Uses a built-in local group, this Members can only access the specified resource, and the local user account is included by default. S-1-5-32-546 GUESTS A built-in local group, the default built-in guest is a member of the group. S-1-5-32-547 Power Users A built-in local group. By default, it can be created, modify local users, and groups, or install applications, manage printers and file sharing. S-1-5-32-548 Account Operators A built-in domain local group on a domain controller, creates, modify, and deletes user accounts and groups. But ADMINISTRATOR and OPERATOR are eliminated. S-1-5-32-549 Server Operators A built-in domain local group on a domain controller, and a member can operate the server, except for user accounts. S-1-5-32-550 Print Operators A built-in domain local group, manage network printers. S-1-5-32-551 Backup Operators A built-in domain local group that backed up and recover files and all domain controllers, regardless of whether there is this file.

转载请注明原文地址:https://www.9cbs.com/read-66871.html

9cbs

New Post(0)