[sdw2003] Windows 7 deployment options...

Domain Support domainsupport at gmail.com
Tue Nov 24 14:13:47 PST 2009 

"In other words, it’s not the SID that ultimately gates access to a
computer, but an account’s user name and password: simply knowing the SID of
an account on a remote system doesn’t allow you access to the computer or
any resources on it.  As further evidence that a SID isn’t sufficient,
remember that built-in accounts like the Local System account have the same
SID on every computer, something that would be a major security hole if it
was.

As I said earlier, there’s one exception to rule, and that’s DCs themselves.
Every Domain has a unique *Domain SID* that’s randomly generated by Domain
setup,* *and all machine SIDs for the Domain’s DCs match the Domain SID. So
in some sense, that’s a case where machine SIDs do get referenced by other
computers. That means that Domain member computers cannot have the same
machine SID as that of the DCs and therefore Domain. However, like member
computers, each DC also has a computer account in the Domain, and that’s the
identity they have when they authenticate to remote systems.

Some articles on SID duplication, including this KB
article<http://support.microsoft.com/kb/314828>,
warn that if multiple computers have the same SID, that resources on
removable media like an NTFS-formatted firewire disk can’t be secured to a
local account. What they fail to mention is that permissions on removable
media provide no security regardless, because a user can connect them to
computers running operating systems that don’t honor NTFS permissions.
Moreover, removable media tend to have default permissions that grant access
to well-known SIDs, such as to the Administrators group, which are the same
on all systems. That’s the fundamental rule of physical security and why
Windows 7 introduced Bitlocker-to-Go, which enables you to encrypt removable
storage.
The final case where SID duplication would be an issue is if a distributed
application used machine SIDs to uniquely identify computers. No Microsoft
software does so and using the machine SID in that way doesn’t work just for
the fact that all DC’s have the same machine SID. Software that relies on
unique computer identities either uses computer names or computer Domain
SIDs (the SID of the computer accounts in the Domain). "



On Tue, Nov 24, 2009 at 2:10 PM, Thaddeus Braun <
Thaddeus.Braun at taylorguitars.com> wrote:

> Can you show me the Microsoft page where it says that? If that's true,
> I'd be STOKED!!
>
> -----Original Message-----
> From: sdw2003-bounces at mattware.com [mailto:sdw2003-bounces at mattware.com]
>  On Behalf Of Domain Support
> Sent: Tuesday, November 24, 2009 2:07 PM
> To: San Diego Windows 2003 User Group
> Subject: Re: [sdw2003] Windows 7 deployment options...
>
> Changing SIDS is not important, it poses no real problem or threat to
> windows, this has been a fallacy for awhile now....
>
>
>
> On Tue, Nov 24, 2009 at 2:05 PM, Thaddeus Braun <
> Thaddeus.Braun at taylorguitars.com> wrote:
>
> > I should rephrase that...you can ghost, but you can't change the SID
> > afterwards with NewSID anymore, the usual method for getting a PC onto
> > the network in a unique manner. Without a unique SID, you're bucking
> for
> > trouble. Ideas? Thoughts? I'd love to hear an alternative...
> >
> > -----Original Message-----
> > From: sdw2003-bounces at mattware.com
> [mailto:sdw2003-bounces at mattware.com]
> > On Behalf Of Tracy Reed
> > Sent: Tuesday, November 24, 2009 1:30 PM
> > To: San Diego Windows 2003 User Group
> > Subject: Re: [sdw2003] Windows 7 deployment options...
> >
> > On Tue, Nov 24, 2009 at 01:27:19PM -0800, Thaddeus Braun spake thusly:
> > > As long as we're on the subject, has anyone out there gone through a
> > Win
> > > 7 deployment? We can't use Ghost imaging anymore so I need to get up
> > to
> > > speed on how to do imaging with Win 7. Anyone?
> >
> > Why can you not use Ghost imaging anymore?
> >
> > --
> > Tracy Reed
> > http://tracyreed.org
> > _______________________________________________
> > sdw2003 mailing list
> > sdw2003 at mattware.com
> > http://lists.mattware.com/mailman/listinfo/sdw2003
> > _______________________________________________
> > sdw2003 mailing list
> > sdw2003 at mattware.com
> > http://lists.mattware.com/mailman/listinfo/sdw2003
> >
> _______________________________________________
> sdw2003 mailing list
> sdw2003 at mattware.com
> http://lists.mattware.com/mailman/listinfo/sdw2003
> _______________________________________________
> sdw2003 mailing list
> sdw2003 at mattware.com
> http://lists.mattware.com/mailman/listinfo/sdw2003
>

More information about the sdw2003 mailing list