Security identifiers
安全标识符
Instead of using names (which might or might not be unique) to identify entities that perform actions in a system, Windows uses
代替使用名字(因为可能会有重复的)去标识每条条目,每条条目都代表一个动作。。windows就使用
security identifiers (SIDs). Users have SIDs, as do local and domain groups, local computers, domains, domain members, and
使用sids。用户有sids,本地和域的组,本地电脑,域,域成员和服务都有sid。
services. A SID is a variable-length numeric value that consists of a SID structure revision number, a 48-bit identifier authority
一个sid是可变的长度数字化的值,sid结构由一个修订值,一个48位的颁发授权机构的值
value, and a variable number of 32-bit subauthority or relative identifier (RID) values. The authority value identifies the agent that
并且一个可变的长度的32位子系统机构 或者相对。
issued the SID, and this agent is typically a Windows local system or a domain. Subauthority values identify trustees relative to the
这个机构值代表这个 代理------一个是分发sid值,并且代理通常是是windows本地系统或者域。 子授权机构值标识受信的相对于颁发机构。
issuing authority, and RIDs are simply a way for Windows to create unique SIDs based on a common base SID. Because SIDs are
并且RIDs是简单的方法对windows系统去创造一个唯一的sid在普通的SID基础上。因为sids是长的并且
long and Windows takes care to generate truly random values within each SID, it is virtually impossible for Windows to issue the
windows关注生成真正的随机的值在每个sid里,windows系统出发同样的sid两次。
same SID twice on machines or domains anywhere in the world.
When displayed textually, each SID carries an S prefix, and its various components are separated with hyphens like so:
当文本显示,么个sid有一个s前缀,并且它的不同的组件被分割成连字符,像这样S-1-5-21-1463437245-1224812800-863842198-1128
S-1-5-21-1463437245-1224812800-863842198-1128
In this SID, the revision number is 1, the identifier authority value is 5 (the Windows security authority), and four subauthority
在各sid,这个修订号是1,这个标识符机构是5 ,这个windwos安全机构,然后4个子授权机构值。
values plus one RID (1128) make up the remainder of the SID. This SID
In this SID, the revision number is 1, the identifier authority value is 5 (the Windows security authority), and four subauthority
在这个sid中,这个修订值是1,这个标识机构值是5,加上4个子授权机构值和一个随机值1128
values plus one RID (1128) make up the remainder of the SID. This SID is a domain SID, but a local computer on the domain
组成这剩余的sid值。这个sid值是一个域的sid,但是一个本地的在域里的电脑有个一个同样sid值,标识权限的值和子机构的值。
would have a SID with the same revision number, identifier authority value, and number of subauthority values.
When you install Windows, the Windows Setup program issues the computer a machine SID. Windows
当你安装windows系统,这个windows安装程序激发电脑的机器sid。
assigns SIDs to local accounts on the computer. Each local-account SID is based on the source computer’s SID and has a RID at
windows系统分配一个本地账户。每个本地账户sid基于源电脑的sid并且尾端有个随机值-----在sid的末尾。
the end. RIDs for user accounts and groups start at 1000 and increase in increments of 1 for each new user or group. Similarly,
这个值从1000开始,以1为增加量增加。
Domain Controller Promote (Dcpromo.exe), the utility used to create a new Windows domain, reuses the computer SID of the
(Dcpromo.exe), 这个工具创建一个windows系统域,重用电脑的sid
computer being promoted to domain controller as the domain SID and re-creates a new SID for the computer if it is ever
升级到一个域控制器,当作域的sid。重新创造一个新的sid给电脑
demoted. Windows issues to new domain accounts SIDs that are based on the domain SID and have an appended RID (again
starting at 1000 and increasing in increments of 1 for each new user or group). A RID of 1028 indicates that the SID is the
twenty-ninth SID the domain issued.
1028代表有29个域。
Windows issues SIDs that consist of a computer or domain SID with a predefined RID to many predefined accounts and groups.
windows系统分发sid,这个sid由电脑和域sid组成,而且被预先定义RID 和账户和组的RID一致。
For example, the RID for the Administrator account is 500, and the RID for the guest account is 501. A computer’s local
rid给管理员就是500,客户账户就是501,一个电脑的本地管理员就是500
Administrator account, for example, has the computer SID as its base with the RID of 500 appended to it:
S-1-5-21-13124455-12541255-61235125-500
Windows also defines a number of built-in local and domain SIDs to represent well-known groups. For example, a SID that
windows系统同时定义了一些内置的本地和域sid
identifies any and all accounts (except anonymous users) is the Everyone SID: S-1-1- 0. Another example of a group that a SID can
代表所有账户的sid。
represent is the Network group, which is the group that represents users who have logged on to a machine from the network.
The Network group SID is S-1-5-2. Table 7-2, reproduced here from the Windows SDK documentation, shows some basic well-
s-1-5-2代表网络账户。
known SIDs, their numeric values, and their use. Unlike users’ SIDs, these SIDs are predefined constants, and have the same
values on every Windows system and domain in the world. Thus, a file that is accessible by members of the Everyone group on the
system where it was created is also accessible to Everyone on any other system or domain to which the hard drive where it resides
happens to be moved. Users on those systems must, of course, authenticate to an account on those systems before becoming
members of the Everyone group.