Differences between revisions 2 and 4 (spanning 2 versions)
Revision 2 as of 2007-09-10 19:14:53
Size: 4353
Comment: make status table simple
Revision 4 as of 2009-03-16 03:33:45
Size: 4421
Editor: anonymous
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
## page was renamed from DebianEdu/CipUX/Feature/Deploy/SidProblem
Line 15: Line 16:
[[TableOfContents]] <<TableOfContents>>

Status of the infrastructure project:

Name:

cipux-deploy-sid

Concept:

?RobertGlowienka, ?GerhardPrade

Participants:

ChristianKuelker

Programmers:

-

Status:

planning

Start:

2007-09-01

End:

-

Planned-release:

3.4.6

Alpha-release:

-

Beta-release:

-

Stable-release:

-

Specific Win Problems (WinNT, Win2K, WinXP SID Problem)

WinNT, Win2K, WinXP needs own SID for each client to announce to a PDC. If WinXP would be cloned each client has the same SID.

  • Tools to change the SID:
  • Active-Directory?
  • Samba?
  • Ghostwalker (Symantec's Ghost)
  • Power-Quest's Image Drive
  • Altiris' ?RapiDeploy

  • NewSID v4.10 (By Mark Russinovich and Bryce Cogswell)

NewSid

MS do not support it. MS support Sysprep. ?NewSid is closed source like bpbatch. Works on WinNT, Win2k, WinXP, Win.Net Server

How it Works

  • read existing SID (stored in Registry's SECURITY hive under SECURITY\SAM\Domains\Account) Key has value named F and V (binary, embedded SID at the end).
  • ensure that SID is standard format (3 32-bit sub-authorities preceded by three 32-bit authority fields
  • generate a random 96-bit value SID (replaces 96-bits of the 3 sub-authority values = SID)
  • SID replacement (1): SECURITY and SAM Registry hives are scanned for old SID in key value and key name.
    • replace all SID in values
    • if SID is in name, copy key and all sub-keys with a changed name to a new key
  • SID replacement (2): (updating security descriptors) (descriptor: 1. entry who own the resource 2. which is the primary owner-group 3. optional list of permitted actions by user/group = Discretionary Access Control List - DACL 4. optional list: which actions performed by users/ groups will generate entries in system Event Log (System Access Control List - SACL) => normal user/group SID (not Administrator, Guest, ...) = computer SID + RID

    • change Registry keys (security associated with them)
    • change all NTFS system files (security associated with them)
  • SID replacement (3): All Registry (loaded, unloaded, local)
    • Search HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\?CurrentVersion\?ProfileList key => dir of user

      • every user has a Registry hive (loaded as HKEY_CURRENT_USER when logged in, but remains on disk in the user's profile directory when not logged in)
      • load that using ?RegLoadKey under HKEY_LOCAL_MACHINE

    • scan hole Registry for security descriptor
    • when done:
      • unloads the user hives (probably writes back)
    • scans the HKEY_USERS (contains the hive of the currently logged-in user)
    • scans the .Default
    • update ?ProfileList subkeys (refer to the new account SID)

      • (necessary for Windows NT to associate profiles with user accounts after the account SIDs changed)

Source: (http://www.microsoft.com/technet/sysinternals/Utilities/NewSid.mspx)

Windows Vista

  • can only be cloned (even during install from DVD)
  • vista images are stored in Windows Imaging Format (WIM). A WIM may contain several sub-images. identical sub-images will not be stored twice

Source: (http://www.computerwoche.de/produkte_technik/software/581896/)

(SID: Samba Tool)