| [ Index ] |
PHP Cross Reference of Unnamed Project |
[Summary view] [Print] [Text view]
1 NewSID 2 3 Copyright © 1997-2002 Mark Russinovich and Bryce Cogswell 4 5 Last updated December 9, 2002 v4.0 6 7 8 Introduction 9 Many organizations use disk image cloning to 10 perform mass rollouts of Windows. This technique 11 involves copying the disks of a fully installed 12 and configured Windows computer onto the disk 13 drives of other computers. These other computers 14 effectively appear to have been through the same 15 install process, and are immediately available for 16 use. 17 18 While this method saves hours of work and hassle 19 over other rollout approaches, it has the major 20 problem that every cloned system has an identical 21 Computer Security Identifier (SID). This fact 22 compromises security in Workgroup environments, 23 and removable media security can also be 24 compromised in networks with multiple identical 25 computer SIDs. 26 27 Demand from the Windows community has lead 28 PowerQuest, Ghost Software and Altiris to develop 29 programs that can change a computer's SID after a 30 system has been cloned. However, PowerQuest's SID 31 Changer and Ghost Software's Ghost Walker are only 32 sold as part of each company's high-end product. 33 Further, they both run from a DOS command prompt 34 (Altiris' changer is similar to NewSID). 35 36 NewSID is a program we developed that changes a 37 computer's SID. It is free, comes with full 38 source, and is a Win32 program, meaning that it 39 can easily be run on systems that have been 40 previously cloned. NewSID works Windows NT 4, 41 Windows 2000, Windows XP and Windows .NET Server. 42 Please read this entire article before you use 43 this program. 44 45 Version Information: 46 Version 4.0 introduces support for Windows XP 47 and .NET Server, a wizard-style interface, 48 allows you to specify the SID that you want 49 applied, and also the option to rename a 50 computer (which results in a change of both 51 NetBIOS and DNS names). 52 Version 3.02 corrects a bug where NewSid would 53 not correctly copy default values with invalid 54 value types when renaming a key with an old SID 55 to a new SID. NT actually makes use of such 56 invalid values at certain times in the SAM. The 57 symptom of this bug was error messages reporting 58 access denied when account information was 59 updated by an authorized user. 60 Version 3.01 adds a work-around for an 61 inaccessible Registry key that is created by 62 Microsoft Transaction Server. Without the 63 work-around NewSID would quit prematurely. 64 Version 3.0 introduces a SID-sync feature that 65 directs NewSID to obtain a SID to apply from 66 another computer. 67 Version 2.0 has an automated-mode option, and 68 let's you change the computer name as well. 69 Version 1.2 fixes a bug in that was introduced 70 in 1.1 where some file system security 71 descriptors were not updated. 72 Version 1.1 corrects a relatively minor bug that 73 affected only certain installations. It also has 74 been updated to change SIDs associated with the 75 permission settings of file and printer shares. 76 77 Cloning and Alternate Rollout Methods 78 One of the most popular ways of performing mass 79 Windows rollouts (typically hundreds of computers) 80 in corporate environments is based on the 81 technique of disk cloning. A system administrator 82 installs the base operating system and add-on 83 software used in the company on a template 84 computer. After configuring the machine for 85 operation in the company network, automated disk 86 or system duplication tools (such as Ghost 87 Software's Ghost, PowerQuest's Image Drive, 88 Altiris' RapiDeploy, and Innovative Software's 89 ImageCast) are used to copy the template 90 computer's drives onto tens or hundreds of 91 computers. These clones are then given final 92 tweaks, such as the assignment of unique names, 93 and then used by company employees. 94 95 Another popular way of rolling out is by using the 96 Microsoft sysdiff utility (part of the Windows 97 Resource Kit). This tool requires that the system 98 administrator perform a full install (usually a 99 scripted unattended installation) on each 100 computer, and then sysdiff automates the 101 application of add-on software install images. 102 103 Because the installation is skipped, and because 104 disk sector copying is more efficient than file 105 copying, a cloned-based rollout can save dozens of 106 hours over a comparable sysdiff install. In 107 addition, the system administrator does not have 108 to learn how to use unattended install or sysdiff, 109 or create and debug install scripts. This alone 110 saves hours of work. 111 The SID Duplication Problem 112 The problem with cloning is that it is only 113 supported by Microsoft in a very limited sense. 114 Microsoft has stated that cloning systems is only 115 supported if it is done before the GUI portion of 116 Windows Setup has been reached. When the install 117 reaches this point the computer is assigned a name 118 and a unique computer SID. If a system is cloned 119 after this step the cloned machines will all have 120 identical computer SIDs. Note that just changing 121 the computer name or adding the computer to a 122 different domain does not change the computer SID. 123 Changing the name or domain only changes the 124 domain SID if the computer was previously 125 associated with a domain. 126 127 To understand the problem that cloning can cause, 128 it is first necessary to understand how individual 129 local accounts on a computer are assigned SIDs. 130 The SIDs of local accounts consist of the 131 computer's SID and an appended RID (Relative 132 Identifier). The RID starts at a fixed value, and 133 is increased by one for each account created. This 134 means that the second account on one computer, for 135 example, will be given the same RID as the second 136 account on a clone. The result is that both 137 accounts have the same SID. 138 139 Duplicate SIDs aren't an issue in a Domain-based 140 environment since domain accounts have SID's based 141 on the Domain SID. But, according to Microsoft 142 Knowledge Base article Q162001, "Do Not Disk 143 Duplicate Installed Versions of Windows NT", in a 144 Workgroup environment security is based on local 145 account SIDs. Thus, if two computers have users 146 with the same SID, the Workgroup will not be able 147 to distinguish between the users. All resources, 148 including files and Registry keys, that one user 149 has access to, the other will as well. 150 151 Another instance where duplicate SIDs can cause 152 problems is where there is removable media 153 formated with NTFS, and local account security 154 attributes are applied to files and directories. 155 If such a media is moved to a different computer 156 that has the same SID, then local accounts that 157 otherwise would not be able to access the files 158 might be able to if their account IDs happened to 159 match those in the security attributes. This is 160 not be possible if computers have different SIDs. 161 162 An article Mark has written, entitled "NT Rollout 163 Options", was published in the June issue of 164 Windows NT Magazine. It discusses the duplicate 165 SID issue in more detail, and presents Microsoft's 166 official stance on cloning. To see if you have a 167 duplicate SID issue on your network, use PsGetSid 168 to display machine SIDs. 169 NewSID 170 NewSID is a program we developed to change a 171 computer's SID. It first generates a random SID 172 for the computer, and proceeds to update instances 173 of the existing computer SID it finds in the 174 Registry and in file security descriptors, 175 replacing occurrences with the new SID. NewSID 176 requires administrative privileges to run. It has 177 two functions: changing the SID, and changing the 178 computer name. 179 180 To use NewSID's auto-run option, specify "/a" on 181 the command line. You can also direct it to 182 automatically change the computer's name by 183 including the new name after the "/a" switch. For 184 example: 185 186 newsid /a [newname] 187 188 Would have NewSID run without prompting, change 189 the computer name to "newname" and have it reboot 190 the computer if everything goes okay. 191 192 NewSID's SID-synchronizing feature that allows you 193 to specify that, instead of randomly generating 194 one, the new SID should be obtained from a 195 different computer. This functionality makes it 196 possible to move a Backup Domain Controller (BDC) 197 to a new Domain, since a BDC's relationship to a 198 Domain is identified by it having the same 199 computer SID as the other Domain Controllers 200 (DCs). Simply choose the "Synchronize SID" button 201 and enter the target computer's name. You must 202 have permissions to change the security settings 203 of the target computer's Registry keys, which 204 typically means that you must be logged in as a 205 domain administrator to use this feature. 206 207 Note that when you run NewSID that the size of the 208 Registry will grow, so make sure that the maximum 209 Registry size will accomodate growth. We have 210 found that this growth has no perceptible impact 211 on system performace. The reason the Registry 212 grows is that it becomes fragmented as temporary 213 security settings are applied by NewSID. When the 214 settings are removed the Registry is not 215 compacted. 216 217 Note that while we have thoroughly tested NewSID, 218 you must use it at your own risk. As with any 219 software that changes file and Registry settings, 220 it is highly recommended that you completely 221 back-up your computer before running NewSID. 222 Moving a BDC 223 Here are the steps you should follow when you 224 want to move a BDC from one domain to another: 225 Boot up the BDC you want to move and log in. Use 226 NewSID to synchronize the SID of the BDC with 227 the PDC of the domain to which you wish to move 228 the BDC. 229 Reboot the system for which you changed the SID 230 (the BDC). Since the domain the BDC is now 231 associated with already has an active PDC, it 232 will boot as a BDC in its new domain. 233 The BDC will show up as a workstation in Server 234 Manager, so use the "Add to Domain" button to 235 add the BDC to its new domain. Be sure to 236 specify the BDC radio button when adding. 237 238 How it Works 239 NewSID starts by reading the existing computer 240 SID. A computer's SID is stored in the Registry's 241 SECURITY hive under SECURITY\SAM\Domains\Account. 242 This key has a value named F and a value named V. 243 The V value is a binary value that has the 244 computer SID embedded within it at the end of its 245 data. NewSID ensures that this SID is in a 246 standard format (3 32-bit subauthorities preceded 247 by three 32-bit authority fields). 248 249 Next, NewSID generates a new random SID for the 250 computer. NewSID's generation takes great pains to 251 create a truly random 96-bit value, which replaces 252 the 96-bits of the 3 subauthority values that make 253 up a computer SID. 254 255 Three phases to the computer SID replacement 256 follow. In the first phase, the SECURITY and SAM 257 Registry hives are scanned for occurrences of the 258 old computer SID in key values, as well as the 259 names of the keys. When the SID is found in a 260 value it is replaced with the new computer SID, 261 and when the SID is found in a name, the key and 262 its subkeys are copied to a new subkey that has 263 the same name except with the new SID replacing 264 the old. 265 266 The final two phases involve updating security 267 descriptors. Registry keys and NTFS files have 268 security associated with them. Security 269 descriptors consist of an entry that identifies 270 which account owns the resource, which group is 271 the primary group owner, an optional list of 272 entries that specify actions permitted by users or 273 groups (known as the Discretionary Access Control 274 List - DACL), and an optional list of entries that 275 specify which actions performed by certain users 276 or groups will generate entries in the system 277 Event Log (System Access Control List - SACL). A 278 user or a group is identified in these security 279 descriptors with their SIDs, and as I stated 280 earlier, local user accounts (other than the 281 built-in accounts such as Administrator, Guest, 282 and so on) have their SIDs made up of the computer 283 SID plus a RID. 284 285 The first part of security descriptor updates 286 occurs on all NTFS file system files on the 287 computer. Every security descriptor is scanned for 288 occurrences of the computer SID. When NewSID finds 289 one, it replaces it with the new computer SID. 290 291 The second part of security descriptor updates is 292 performed on the Registry. First, NewSID must make 293 sure that it scans all hives, not just those that 294 are loaded. Every user account has a Registry hive 295 that is loaded as HKEY_CURRENT_USER when the user 296 is logged in, but remains on disk in the user's 297 profile directory when they are not. NewSID 298 identifies the locations of all user hive 299 locations by enumerating the 300 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows 301 NT\CurrentVersion\ProfileList key, which points at 302 the directories in which they are stored. It then 303 loads them into the Registry using RegLoadKey 304 under HKEY_LOCAL_MACHINE and scans the entire 305 Registry, examining each security descriptor in 306 search of the old computer SID. Updates are 307 performed the same as for files, and when its done 308 NewSID unloads the user hives it loaded. As a 309 final step NewSID scans the HKEY_USERS key, which 310 contains the hive of the currently logged-in user 311 as well as the .Default hive. This is necessary 312 because a hive can't be loaded twice, so the 313 logged-in user hive won't be loaded into 314 HKEY_LOCAL_MACHINE when NewSID is loading other 315 user hives. 316 317 Finally, NewSID must update the ProfileList 318 subkeys to refer to the new account SIDs. This 319 step is necessary to have Windows NT correctly 320 associate profiles with the user accounts after 321 the account SIDs are changed to reflect the new 322 computer SID. 323 324 NewSID ensures that it can access and modify every 325 file and Registry key in the system by giving 326 itself the following privileges: System, Backup, 327 Restore and Take Ownership. 328 Using the Source 329 Full source code to NewSID has been provided for 330 educational purposes. You may not use this code in 331 a commercial or freeware SID-changing product, but 332 you may use its techniques in other programs for 333 private or commercial use. 334 335 336 337
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| Generated: Tue Mar 17 22:47:18 2015 | Cross-referenced by PHPXref 0.7.1 |