Windows Access Control List (ACL) 9

 

 

 

 

 

More on SID Strings

 

In the security descriptor definition language (SDDL), security descriptor string use SID strings for the following components of a security descriptor:

 

  1. Owner.
  2. Primary group.
  3. The trustee in an ACE.

 

A SID string in a security descriptor string can use either the standard string representation of a SID (S-R-I-S-S...) or one of the string constants defined in sddl.h.

 

The Windows SID string seen in the registry

 

More on SID Components

 

A SID value includes components that provide information about the SID structure and components that uniquely identify a trustee. A SID consists of the following components:

 

  1. The revision level of the SID structure.
  2. A 48-bit identifier authority value that identifies the authority that issued the SID.
  3. A variable number of sub authority or relative identifier (RID) values that uniquely identify the trustee relative to the authority that issued the SID.

 

RID is a portion of a security identifier (SID) that identifies a user or group in relation to the authority that issued the SID.  The combination of the identifier authority value and the sub authority values ensures that no two SIDs will be the same, even if two different SID-issuing authorities issue the same combination of RID values.  Each SID-issuing authority issues a given RID only once.  SIDs are stored in binary format in a SID structure.  To display a SID, you can call the ConvertSidToStringSid() function to convert a binary SID to string format.  To convert a SID string back to a valid, functional SID, call the ConvertStringSidToSid() function.  These functions use the following standardized string notation for SIDs, which makes it simpler to visualize their components:

 

S-R-I-S-S...

 

In this notation, the literal character S identifies the series of digits as a SID, R is the revision level, I is the identifier-authority value, and S... is one or more sub authority values.  The following example uses this notation to display the well-known domain-relative SID of the local Administrators group:

 

S-1–5-32-544

 

In this example, the SID has the following components.  The constants in parentheses are well-known identifier authority and RID values defined in winnt.h:

 

    1. A revision level of 1.
    2. An identifier-authority value of 5 (SECURITY_NT_AUTHORITY).
    3. A first sub authority value of 32 (SECURITY_BUILTIN_DOMAIN_RID).
    4. A second sub authority value of 544 (DOMAIN_ALIAS_RID_ADMINS).

 

The following SID string constants for well-known SIDs are defined in sddl.h.

 

SID string

Constant in Sddl.h

Account alias and corresponding RID

"AO"

SDDL_ACCOUNT_OPERATORS

Account operators.  The corresponding RID is DOMAIN_ALIAS_RID_ACCOUNT_OPS.

"RU"

SDDL_ALIAS_PREW2KCOMPACC

Alias to grant permissions to accounts that use applications compatible with Windows NT 4.0 operating systems.  The corresponding RID is DOMAIN_ALIAS_RID_PREW2KCOMPACCESS.

"AN"

SDDL_ANONYMOUS

Anonymous logon.  The corresponding RID is SECURITY_ANONYMOUS_LOGON_RID.

"AU"

SDDL_AUTHENTICATED_USERS

Authenticated users.  The corresponding RID is SECURITY_AUTHENTICATED_USER_RID.

"BA"

SDDL_BUILTIN_ADMINISTRATORS

Built-in administrators.  The corresponding RID is DOMAIN_ALIAS_RID_ADMINS.

"BG"

SDDL_BUILTIN_GUESTS

Built-in guests.  The corresponding RID is DOMAIN_ALIAS_RID_GUESTS.

"BO"

SDDL_BACKUP_OPERATORS

Backup operators.  The corresponding RID is DOMAIN_ALIAS_RID_BACKUP_OPS.

"BU"

SDDL_BUILTIN_USERS

Built-in users.  The corresponding RID is DOMAIN_ALIAS_RID_USERS.

"CA"

SDDL_CERT_SERV_ADMINISTRATORS

Certificate publishers.  The corresponding RID is DOMAIN_GROUP_RID_CERT_ADMINS.

"CG"

SDDL_CREATOR_GROUP

Creator group.  The corresponding RID is SECURITY_CREATOR_GROUP_RID.

"CO"

SDDL_CREATOR_OWNER

Creator owner.  The corresponding RID is SECURITY_CREATOR_OWNER_RID.

"DA"

SDDL_DOMAIN_ADMINISTRATORS

Domain administrators.  The corresponding RID is DOMAIN_GROUP_RID_ADMINS.

"DC"

SDDL_DOMAIN_COMPUTERS

Domain computers.  The corresponding RID is DOMAIN_GROUP_RID_COMPUTERS.

"DD"

SDDL_DOMAIN_DOMAIN_CONTROLLERS

Domain controllers.  The corresponding RID is DOMAIN_GROUP_RID_CONTROLLERS.

"DG"

SDDL_DOMAIN_GUESTS

Domain guests.  The corresponding RID is DOMAIN_GROUP_RID_GUESTS.

"DU"

SDDL_DOMAIN_USERS

Domain users.  The corresponding RID is DOMAIN_GROUP_RID_USERS.

"EA"

SDDL_ENTERPRISE_ADMINS

Enterprise administrators.  The corresponding RID is DOMAIN_GROUP_RID_ENTERPRISE_ADMINS.

"ED"

SDDL_ENTERPRISE_DOMAIN_CONTROLLERS

Enterprise domain controllers.  The corresponding RID is SECURITY_SERVER_LOGON_RID.

"WD"

SDDL_EVERYONE

Everyone.  The corresponding RID is SECURITY_WORLD_RID.

"PA"

SDDL_GROUP_POLICY_ADMINS

Group Policy administrators.  The corresponding RID is DOMAIN_GROUP_RID_POLICY_ADMINS.

"IU"

SDDL_INTERACTIVE

Interactively logged-on user.  This is a group identifier added to the token of a process when it was logged on interactively.  The corresponding logon type is LOGON32_LOGON_INTERACTIVE. The corresponding RID is SECURITY_INTERACTIVE_RID.

"LA"

SDDL_LOCAL_ADMIN

Local administrator.  The corresponding RID is DOMAIN_USER_RID_ADMIN.

"LG"

SDDL_LOCAL_GUEST

Local guest.  The corresponding RID is DOMAIN_USER_RID_GUEST.

"LS"

SDDL_LOCAL_SERVICE

Local service account.  The corresponding RID is SECURITY_LOCAL_SERVICE_RID.

"SY"

SDDL_LOCAL_SYSTEM

Local system.  The corresponding RID is SECURITY_LOCAL_SYSTEM_RID.

"NU"

SDDL_NETWORK

Network logon user.  This is a group identifier added to the token of a process when it was logged on across a network.  The corresponding logon type is LOGON32_LOGON_NETWORK.  The corresponding RID is SECURITY_NETWORK_RID.

"NO"

SDDL_NETWORK_CONFIGURATION_OPS

Network configuration operators.  The corresponding RID is DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS.

"NS"

SDDL_NETWORK_SERVICE

Network service account.  The corresponding RID is SECURITY_NETWORK_SERVICE_RID.

"PO"

SDDL_PRINTER_OPERATORS

Printer operators.  The corresponding RID is DOMAIN_ALIAS_RID_PRINT_OPS.

"PS"

SDDL_PERSONAL_SELF

Principal self.  The corresponding RID is SECURITY_PRINCIPAL_SELF_RID.

"PU"

SDDL_POWER_USERS

Power users.  The corresponding RID is DOMAIN_ALIAS_RID_POWER_USERS.

"RS"

SDDL_RAS_SERVERS

RAS servers group.  The corresponding RID is DOMAIN_ALIAS_RID_RAS_SERVERS.

"RD"

SDDL_REMOTE_DESKTOP

Terminal server users.  The corresponding RID is DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS.

"RE"

SDDL_REPLICATOR

Replicator.  The corresponding RID is DOMAIN_ALIAS_RID_REPLICATOR.

"RC"

SDDL_RESTRICTED_CODE

Restricted code.  This is a restricted token created using the CreateRestrictedToken() function.  The corresponding RID is SECURITY_RESTRICTED_CODE_RID.

"SA"

SDDL_SCHEMA_ADMINISTRATORS

Schema administrators.  The corresponding RID is DOMAIN_GROUP_RID_SCHEMA_ADMINS.

"SO"

SDDL_SERVER_OPERATORS

Server operators.  The corresponding RID is DOMAIN_ALIAS_RID_SYSTEM_OPS.

"SU"

SDDL_SERVICE

Service logon user.  This is a group identifier added to the token of a process when it was logged as a service.  The corresponding logon type is LOGON32_LOGON_SERVICE.  The corresponding RID is SECURITY_SERVICE_RID.

 

Table 6

 

The ConvertSidToStringSid() and ConvertStringSidToSid() functions always use the standard SID string notation and do not support SDDL SID string constants.

 

 

 

 

< Windows ACL 8 | Windows Access Control List (ACL) Main | Win32 Programming | Windows ACL 10 >