It has come to my attention that many admins are not aware that Active Directory, as well as Windows servers and desktop operating systems, produce users and groups that are easily detectible. They are easily detectible via their well-known SID. In this article, we will discuss what an SID is; then, continue to discuss why some are well-known. The concept and technology of SIDs are extremely important to the entire Windows security subsystem, as well as to network resources.
What is a SID?
A SID is a security identifier. Although we know users, groups, and computers as Derek, Domain Admins, and Server1, the operating system knows these accounts as 1000, 512, and 1500 (along with some other numbers and few letters!). It is like the Internet Web sites that you visit. Do you know the IP address for google.com? Neither do I! However, the Internet does not really either! The Internet knows it as 22.214.171.124. It is DNS that helps with resolution, so you don't need to know what the IP address is.
An example of a Windows SID would be S-1-5-21-549688327-91903405-2500298261-1000. The S-1-5-21 is used for most user and group accounts, where the 549688327-91903405-2500298261 is the domain SID.
I have been asked if two domains can be installed and have the same domain SID? Yes is the answer, however, based on my knowledge of statistics, I find it VERY HARD to imagine that two domains in the world would generate the same domain SID and then be associated to the same physical network. I think getting hit by lightning on a sunny day would be a greater risk.
What Does a SID Do?
A SID is used by the operating system to track that account. This is done in two ways. First, when a user logs on, the SID for the user and the group SIDs the user has membership in are written to the user's authentication token. You can see this in Figure 1, which is a process token, copied from the user authentication token.
Figure 1: User token, including user SID and group SIDs.
SIDs are also used to control access to resources. Any resource in Windows that has an access control list (ACL) uses SIDs to control the access permissions. Resources with ACLs in Windows include: files, folders, Registry keys, printers, AD objects, and services. An example of a file ACL is shown in Figure 2.
Figure 2: File ACL, which shows user/group names, but is really a list of SIDs.
When a user attempts to access a resource, the SIDs on the token are compared to the ACL. If the user or a group is listed on the ACL, then the user is granted that access specified. If the user or a group the user belongs to is not listed, then the user is denied access.
Well-known SIDs for User Accounts
When Active Directory is installed, there are default user accounts, including Guest, Administrator, KRBTGT, etc. These accounts must be tracked in all installations of Active Directory, and are hardcoded into the operating system. Since they are hard coded, they must have the same "structure" for their SID. Since the beginning portion of the SID is always S-1-5-21-, and the domain portion of the SID is always dynamically created, the only other portion of the SID that must be tracked in the RID, which is the last portion of the SID. RID stands for relative Identifier and is the same for all default user accounts. Other user accounts are more system accounts, which follow a different SID numbering system, which can be seen in Table 1.
Table 1: Default user accounts and their SIDs.
Well-known SIDs for Group Accounts
In a similar manner to the user accounts, the default groups also have well-known SIDs. There are far more default groups in Active Directory than users and the SIDs for these accounts vary. Table 2 lists the majority of the default groups and their SIDs.
Enterprise Domain Controllers
Group Policy Creator Owners
Pre-Windows 2000 Compatible Access
Remote Desktop Users
Network Configuration Operators
Incoming Forest Trust Builders
Enterprise Read-only Domain Controllers
Read-only Domain Controllers
Allowed RODC Password Replication Group
Denied RODC Password Replication Group
Event Log Readers
Table 2: Default group accounts and their SIDs.
What Do Well-Known SIDs Mean for You?
In my opinion, the well-known SIDs just means that an informed attacker can find any user or group, no matter what you change it to. However, knowing the SIDs for these accounts can also help you track your users and groups. I always suggest you change the name of the Administrator account, in order to obfuscate the security of this account, for those that are not so informed. Creating a "honey-pot" Administrator account is a great way to catch attackers, attempting to logon with this account, which is obviously not the correct "Administrator".
Of course, a well-informed attacker can resolve the SID to name and determine which user has the RID of 500, indicating the default Administrator. This is one good reason to not allow anonymous access, and to restrict SID-name translation, SAM enumeration, etc. You can find out more about how to restrict this type of access here.
You really need to negate any users from being able to do a name to SID translation, or enumerate users and their SIDs. There is far too much information that be obtained from either of those lists, for a prospective attacker. The Administrator account name, names of "first created Active Directory" accounts (typically admins), and other information that would allow an attacker to gather far too much information about an attack.
In order for the operating system and Active Directory to track the default user and group accounts, it must assign them SIDs that are known... well-known actually. This is done so these accounts are established during installation and the system does not need to track them with dynamic SIDs. Most accounts have a similar structure of S-1-5-21domain-RID, but others have a different SID format. Regardless of the format and structure, the SID is used by all users logging on, the system, and resource access to control access to all servers, resources, and domain resources.