[269] in Best-of-Security
BoS: Re: Duplication Problem?
daemon@ATHENA.MIT.EDU (Moloo, Jalal @ CKE)
Wed Jun 25 08:38:57 1997
Date: Mon, 23 Jun 1997 13:25:05 -0700
Reply-To: "Moloo, Jalal @ CKE" <JMOLOO@CKR.COM>
From: "Moloo, Jalal @ CKE" <JMOLOO@CKR.COM>
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
Here is some info on duplication problem & unique SID straight from the
horses mouth (Microsoft's official position adapted from Sunbelt Windows
NTools[tm] Electronic Newsletter)
--- http://www.ntsoftdist.com ---
"Microsoft provides several methods for the proper deployment of the
Windows NT operating system. The use of a supported method is very
important to ensuring the security of the systems running Windows NT is
not compromised.
There is a reason you can't just copy the hard disk from one computer to
another to deploy Windows NT. One of the important features of Windows
NT is its security. Each computer is assigned a unique Security ID (SID)
during Setup at the time the machine name is entered; this ensures that
it can be identified on the network. Almost all of the network services
have this security information encoded in their entries in the registry
during Setup or subsequent installation. Simply copying the contents of
one hard disk to another would give each computer the same SID, making
security impossible to maintain.
MORE INFORMATION
When a computer is installed, it is given a SID. For a Windows NT
Workstation, Windows NT Member server, or a Windows NT primary domain
controller (PDC), that SID is computed to contain a statistically unique
96- bit number. For a Windows NT backup domain controller (BDC), that
SID is identical to the SID of the PDC for the domain.
The primary SID is generated during the installation of Windows NT and
is the prefix of the SIDs for all the user accounts and group accounts
created on the computer. The SID is concatenated with the RID of the
account to create the account's unique identifier.
So, if two workstations have the same primary SID, the first user
account generated (and so forth) on each workstation is the same because
the SID on both computers is the same.
Here is what happens when the SID is created. When you install Windows
NT, Setup creates a unique SID for that computer and uses this SID as a
prefix for all local machine accounts. This can be seen by using
Regedt32.exe to view the local user's SID. If you create several local
accounts you will see the SID for that account when logging on as that
user.
HKEY_USERS on Local Machine
Example:
S-1-5-21-191058668-193157475-1542849698-500 administrator
S-1-5-21-191058668-193157475-1542849698-1000 User one
S-1-5-21-191058668-193157475-1542849698-1001 User two
S-1-5-21-191058668-193157475-1542849698-1002 User three
Notice that only the last four digits are incremented as new accounts
are added. The implication of this for Workgroup security is that local
users have rights on other computers according to the order the account
in which was created. Additionally, the impact on file ownership for
shared/removable media will be compromised and would make security
unmanageable.
The "after GUI replication" method is unsupported because of the
security, resource ownership and unmanageability implication.
Because the SID identifies the computer or domain as well as the user,
it is critical that it be unique to maintain support for current and
future applications.
>-----Original Message-----
>From: Smith, Ken [SMTP:Ken_Smith@MENTORG.COM]
>Sent: Friday, June 20, 1997 11:46 AM
>To: NTBUGTRAQ@RC.ON.CA
>Subject: Re: Duplication Problem?
>
>I'm posting a message on this subject which I just posted yesterday to
>the winnt-l mailing list, but didn't generate any response. It gets
>into issues that aren't precisely related to NT bugs, but it does deal
>with security, which has been a frequent topic here. Most folks here
>seem to have more expertise on security issues than I do, so I'd
>appreciate some comment and feedback on my questions.
>
>Microsoft's official stance is that disk duplication is a Very Bad Thing
>To Do -- see KB article Q162001, aptly entitled "Do Not Disk Duplicate
>Installed Versions of Windows NT." But although they are quite adamant
>in this article, their explanation leaves a little to be desired -- at
>the very least, I can't claim to understand it. This article says (and
>I quote):
>
> "One of the important features of Windows NT
> is its security. Each computer is assigned a unique Security ID
>(SID)
> during Setup at the time the machine name is entered; this
>ensures that it
> can be identified on the network. Almost all of the network
>services have
> this security information encoded in their entries in the
>registry during
> Setup or subsequent installation. Simply copying the contents of
>one hard
> disk to another would give each computer the same SID, making
>security
> impossible to maintain."
>
>But as to why duplicate SIDS would in any way complicate security is
>left unexplained. For instance, is the machine SID used in any
>significant way when joining a domain? Or when connecting up to a
>domain later, say after a reboot? Perhaps, but not that I've been able
>to discover, and certainly not that MS has here explained.
>
>A couple paragraphs later, MS also says:
>
> "The implication of this for Workgroup security is that local
>users
> have rights on other computers according to the order the
>account in which
> was created."
>
>But that doesn't make any sense to me. How, precisely, would a
>duplicate SID make any difference in this instance whatsoever? When you
>connect to a remote machine, your user ID and a password challenge are
>presented to that remote machine via SMB -- but your machine's SID is
>not presented. Even if your account was XXX-1005 on Machine1, and there
>was a corresponding but differently named account on Machine2 with the
>same SID of XXX-1005, there's no way for Machine2 to know that the user
>trying to connect even has the same SID.
>
>The very next sentence does make some sense:
>
> "Additionally, the impact on file ownership for
> shared/removable media will be compromised and would make
>security
> unmanageable."
>
>This is true to some small extent -- for instance, if you were planning
>to use zip drives on the duplicated machines, were planning to use NTFS
>on those disks, and were concerned about file ownership. But those are
>some pretty hefty "ifs", especially when you consider that (a) physical
>access to a disk pretty much invalidates any security you might have
>wanted anyway; and (b) I'm not sure what extra security differing SIDs
>could even potentially provide, since two separate NT installations on
>the same physical volume can each access the others' "restricted" files,
>thus implying that it's the user's RID rather than the machine's SID
>which is used to set security on files.
>
>Just some random gripes. But the long and the short of it is that I
>don't see how duplicate SIDs is going to hurt the vast majority of
>users. Especially when you consider the efficiency of the disk-duping
>process, in contrast to the ugly behemoth that is sysdiff. Microsoft's
>documentation for their recommended process runs to well over a hundred
>pages, and this doesn't count the half-dozen technet articles that are
>required to even come close to making the thing work. Trying to be a
>good MCSE, I fought with it for over a week, before finally giving up.
>
>MS is gonna realize this eventually, and I suspect they'll probably
>change their stance when they realize how widespread the whole practice
>is.
>
>---------------------------------------------------------------------
>Ken Smith 503-685-1045 (Business)
>Desktop Services 503-780-4458 (Cell)
>Mentor Graphics 800-717-9567 (Pager)
>
>"All understanding is self-understanding" -- Gadamer
>
>> -----Original Message-----
>> From: Mikel Beck 516-233-6864 [SMTP:mikel.beck@REUTERS.COM]
>> Sent: Friday, June 20, 1997 6:11 AM
>> To: NTBUGTRAQ@RC.ON.CA
>> Subject: Duplication Problem?
>>
>>
>> I don't know if this is an NT bug, but a problem that affects
>> some of our NT4 installations. I was hoping that somebody may have
>> come across the same sort of thing and may offer some insight.
>>
>> Have have built a "baseline" NT installation disk. We use this
>> disk on a disk duplication machine to copy over to new disks for new
>> installations. We recently had a bunch of machines go bad. They all
>> lock up at some point during the day and need to be cold-booted. The
>> machines are all the same, from the same manufacturer, configured with
>> the same hardware. I find it hard to believe that 10 machines all have
>> bad components in them somewhere, so I believe that this problem was
>> caused by duplicating the disks.
>>
>> Microsoft Knowledge Base article Q162001 talks about this
>> problem, using disk duplication to create new installations. It says
>> that each machine would wind up with the same SID. The article doesn't
>> say what would happen is more than one machine tried to use the same
>> SID, it just says it's a problem.
>>
>> Has anybody heard of this sort of thing?
>>
