Windows Security Series #1 (SIDs, SATs, Workgroups & Domains)

Core Windows Concepts Part1

Okay let's get started!

When you boot up your computer and start typing your password under your username, let's start from there.

You know that username of yours is just for you to identify your account easily? it's not how your Windows identifies you! Windows use what's called a SID (Security ID Number) to identify the different user accounts.

*What's a SID?

-A SID(Security ID Number) is how your system identifies you as an individual user. So when you authenticate you really authenticating against some SID not against that username of yours. you can think of it like your social security number. Hence it's a unique number identifies you as user. You will never find two user accounts with the same SID just like you will never see two citizens with the same social security number. So under the hood we're SIDs not usernames.

Okay great. So now you've typed your password and ready to launch your explorer process along with others. Question, How does the OS keeps track of you? I mean yes you're already authenticated and the system is sure you're valid user but does that mean you're permitted to do anything you desire? because sure as hell if I'm an Administrator there will be different access controls and privileges assigned to me than if I'm a regular user right? Now your Windows uses what's called a SAT (Security Access Token) so it knows exactly who you're and what you're permitted(or not permitted) to do.

*What's a SAT?

-A SAT(Security Access Token) is like your ID(driver's license, passport, anything that identify you and help us as authority to trust you, in this case the OS is the authority that checks that ID). Just like you cannot enter your company, your college without your ID. You really cannot start using your account without that ID. So after you've authenticated with your password, that ID (SAT) is copied to every process you launch so we can know who owns that process, who requesting the actions that process wants to do and using that knowledge of "who behind the process" we can allow or deny certain actions and also audit them.

Okay so far so good. So what does that ID (SAT) contains? what kind of information that it has which "hopefully" enough that our Windows system can identify and regulate our activities accurately? it consists of three parts :-

1-Your SID. Which of course makes sense! That Security ID Number that you've authenticated against at first.

2-The SIDs of your groups. what kind of groups? that's the Administrators, Users, Guests and others as well. YES! windows identify them with SIDs as well not their names.

3-Your Privileges on the machine like the take ownership privilege along with others.

Let's take a look at this shall we? open your windows command prompt, run it as an administrator and type the following command without the double quotes "whoami /all /fo list" and like the picture it gives the three parts we've talked about.

Here you can clearly see your own SID and under the Group Information you can see the SIDs of the groups you belong to. Scroll down more to see your privileges on the machine.

Don't freak out if they look overwhelming and too much. we will discuss the dangerous ones in an upcoming article. But for now just get familiar to them or start googling if you like.

Remember when I said that the main function of SAT is to differentiate between users so that the OS can decide which actions are permitted depending on who you really are? If I'm I'm an administrator I should have more privileges than a regular user right? so let's check the SAT of a regular user and the SAT of an administrator.

The one you already saw (if you opened your command prompt as an administrator) is the administrator SAT. Clearly if you keep scroll down you will see that you a lot of privileges on the machine hence more actions you're allowed to do.

IMPORTANT NOTICE, even though some privileges their state is disabled, that doesn't mean you can't use them! as long as the privilege is on your SAT you can enable it and start using it even if its state is disabled.

Now let's launch our command prompt WITHOUT running it as an administrator so we can see the difference between the SAT of an administrator and the SAT of a regular user.

Now that process (the command prompt) is launched as a normal user so of course the privileges on my SAT will be different than before. Scroll down to the privileges.

THAT'S IT! that's all the privileges on your regular user SAT. So if you tried to do some "Admin work" with that process(command prompt) which is launched as normal user most of your actions will be denied by the OS because you don't have enough privileges on you SAT. And that's why when you have some problem on Windows and start looking for solutions online in most cases they will direct you to open the command prompt as an administrator otherwise it won't work.

I hope now you have a feeling of what SIDs and SATs are. If don't please step back and start googling around until you really absorb it.

Workgroups and Domains

In General your windows machine on a network will either be a part of Workgroup or Domain and the main difference between them is how resources on the network are managed.

Let me ask you a question. If I'm an Egyptian holding valid driving license in Egypt, is it possible that If I traveled to UK to use that driving license there? Is it possible that I go to any other country, buy a car and start driving it and if any police officer stopped me I show him that license? OF COURSE NOT! why not? I mean it's valid so what's the problem? the problem is that -even it's a valid license- it's issued by another country so we don't really trust the other country because we have different procedures to give someone a license. So your license only works there not here. If you want to start driving in UK for example, the UK must issue a valid one for you to be able to drive there. Okay all of that is kinda intuitive right? let me ask you another question. Assuming that your windows is a country itself called Windows,What is it gonna be your windows driver's license? what's the ID that you always attach to your programs and process so windows can trust you and enable you to do certain actions and deny you from others? that's right your SAT(Security Access Token).

Workgroups

Well that's the whole idea of Workgroups if we're connected in a workgroup every computer don't trust the driver's license(SAT) of any other computer. You can't use your Egyptian SAT for example to manage a UK machine. So to do anything on any computer you must have a user account on every machine. So now if you're an administrator and you have a workgroup of 20 machines. You can't have one administrator account to manage them all. The only way to be an administrator of workgroup is that to have an administrator account on each one of them. Because again, they only trust their local accounts not any other computer accounts.

Keep in mind even if you created an administrator account on each machine with the same name and the same password they are still DIFFERENT accounts because each one of them has its unique SID(Security ID Number). So always remember windows doesn't care about the username, it cares about SIDS.

Also be aware that you still can share stuff and do all kinds of networking in a workgroup.

Domains

Now let's assume that Egypt and Algeria for example made an agreement. The agreement is that if you have a valid driver's license in Egypt you can drive in Algeria, and if you have a valid driver's license in Algeria you can drive in Egypt. You know what, actually it's the same license and it's issued by some authority that both Egypt and Algeria trust it. Wouldn't that be cool? if you're in a workgroup to access any computer you must have a new license there other than the one you have in your current machine. Now you can be issued one driver's license and use it here and there. Now if you have 500 computer you don't need 500 administrator accounts to manage them. They all trust certain authority that will issue you a license and you can use that license to access any of them! That authority in the domain that every computer trusts is called a Domain Controller (DC) and the database that contains all the domain accounts is called Active Directory.

Which is better?

There's no right answer. It depends on your environment and each one has its own advantage and disadvantage.

For example managing an enterprise consists of 500 machines or more using a workgroup would be a nightmare and close to impossible. But at the same time if it were a domain and an attacker stole one domain account with high privileges he actually can damage the entire domain. On the other hand if it were a workgroup and a local user account was stolen on a machine he probably won't be able to do aggressive damage to the other machines because he doesn't have any access to them(yet).

It's preferable to put your DMZ servers in workgroup (standalone machines) as long as it faces the internet. So if an account got compromised, your internal domain still safe.

I'll let you google the uses, advantages and disadvantages of each one but anyway I hope you got the general idea.

That's it for the first article I hope you enjoyed it. Thank you!

Khaled Mansour.