Windows SID (Security Identifier)
A Windows Security Identifier (SID) is a unique value of variable length that is used to identify a security principal or security group in Windows operating systems. Security principals can be users, groups, and processes controlled by the operating system.
Each account or group on a Windows system is assigned a unique SID when it is created, and this SID is used to control access to various resources, including files, folders, registry keys, and more.
The SID is unique to each user or group, and is different even for accounts or groups with the same name on different systems. This uniqueness is crucial for maintaining security and access rights across the network. A SID is a string value that consists of several parts, including a revision level, an identifier authority value, and a set of subauthority values.
The structure might look something like S-1-5-21-1180699209-877415012-3182924384-1004
.
SIDs are used in access control lists (ACLs) to define permissions on various objects within Windows, such as files, folders, and registry keys.
There are certain SIDs that are predefined and used across Windows systems, such as S-1-5-18
for the Local System account, S-1-5-32-544
for the Administrators group, and others. These well-known SIDs are consistent across all versions of Windows.
When setting permissions, the system translates account names into their corresponding SIDs. Access checks are performed against these SIDs. In security logs and audit trails, SIDs are recorded to track activities of users and groups. Understanding SIDs is important in penetration testing and hacking, as certain attacks may involve impersonating SIDs of privileged accounts or groups.