So far we have talked about the elements of security, using their "common" names, such as the administrator of the Domain Admins group or Domain Admins. But inside the Windows NT family of systems, each of these objects is represented globally unique 48-bit number, called a security identifier or SID (Security Identifier). This approach allows the system to distinguish between, for example, the local Administrator account the same name of computer A and the local Administrator account on your computer.
In the SID consists of several parts. Consider an example of such an identifier.
S-1-5-21-1507001333-1204550764-1011284298-500
Prior to the SID, the letter S, and its parts are separated by hyphens. The first number (in this case 1) is the revision number, the second - the value of office identifier (for Windows Server 2003, it is always 5). This is followed by four options under the authority (in this example is 21, and three long strings of numbers), and the latter indicates a relative identifier (RID - Relative Identifier) (in our example, the value is 500).
The SID may seem complicated, but it is important to understand that one part is unique to the installation, or domain, and another - is common to all installations and Wamena (relative identifier R1D). After you install Windows Server 2003, a local computer randomly selects the SID. The same thing happens when you create a domain under Windows Server 2003 - he also gets a unique identifier SID. Thus, for any computer or domain that is running Windows Server 2003, under the powers will always be unique (unless these are fake and do not overlap, as happens in certain types of low-level copying of disks).
In any case, the value of R1D is constant for all computers and domains. For example, the identifier SID, whose value is 500 RiD, always belongs to the Administrator account of the local machine. RID 501 is used to account Guest. For the domain RID starts from 1001 and shows the number of user accounts (eg, RID 1015 will fifteenth user domain). Suffice it to say that renaming the account does not affect the corresponding S1D, so the account will always be identified. Renaming the account Administrator, you just change its name, Windows Server 2003 (or an attacker, using special equipment) is always defined by the value of CE R1D 500.
|