Security principal is an entity that can have a security identifier (SID), SID is a (mostly) numeric representation of a security principal. The SID is actually what is used internally by the operating system. When you grant a user, a group, a service, or some other security principal permissions to an object, the operating system writes the SID and the permissions to the object’s Access Control List (ACL).
History of SIDs. The original concept of the SID called out each level of the hierarchy. Each layer included a new sub-authority, and an enterprise could lay out arbitrarily complicated hierarchies of issuing authorities. Each layer could, in turn, create additional authorities beneath it. In reality, this created a lot of overhead for setup and deployment, and made the management model group even more baroque. The notion of arbitrary depth identities did not survive the early stages of development, although the structure was already too deeply ingrained to be removed. In practice, two SID patterns developed. For built-in, predefined identities, the hierarchy was compressed to a depth of two or three sub-authorities. For real identities of other principals, the identifier authority was set to five, and the set of sub-authorities was set to four.
A SID is composed of several required elements. SIDs always start with the literal “S,” which denotes them as a SID. They also always end with a relative identifier (RID). In between, they have 0 or more sub-authorities. The second value in a SID is always a revision level, which currently is always 1.
After the S-1- prefix, the remainder of a SID can vary greatly, but it always begins with an identifier authority denoting what entity issued them. The below shows the currently used identifier authorities.
0 : SECURITY_NULL_SID_AUTHORITY. Used for comparisons when the identifier authority is unknown.
1 : SECURITY_WORLD_SID_AUTHORITY. Used to construct SIDs that represent all users. For example, the SID for the Everyone group is S-1-1-0, created by appending the
WORLD RID (0) to this identifier authority, thereby selecting all users from that authority.
2 : SECURITY_LOCAL_SID_AUTHORITY. Used to build SIDs representing users that log on to a local terminal.
3 : SECURITY_CREATOR_SID_AUTHORITY. Used to construct SIDs that represent the creator or owner of an object. For example, the CREATOR OWNER SID is S-1-3-0, created by appending the creator owner RID (also 0) to this identifier authority. If S-1-3-0 is used in an inheritable ACL, it will be replaced by the owner's SID in child objects that inherit this ACL. S-1-3-1 is the CREATOR GROUP SID and has the same effect but will take on the SID for the creator's primary group instead.
5 : SECURITY_NT_AUTHORITY. The operating system itself. SIDs starting with S-1-5 were issued by a computer or a domain. Most of the SIDs you will see start with S-1-5.
After the identifier authority the SID has some number of sub-authorities. The last of these is called the relative identifier and is the identifier of the unique security principal within the realm where the SID was defined. To make this idea a little more concrete, consider the following SID:
As you have seen, the SID starts with S-1-5, indicating that it was issued by Windows NT. The first sub-authority is 21 (0x15 in hexadecimal). The 21 defines this as a Windows NT SID that is not guaranteed to be universally unique. It will be unique within the domain of its issuance, but there may be other SIDs in the universe of computers that have the same exact value. The first of the sub-authorities is very often a well-known sub authority. The below lists the more commonly encountered well-known sub-authorities.
Our SID then has three additional sub-authorities: 1534169462, 1651380828, and 111620651. These do not in and of themselves have any implicit meaning, but together they denote the domain or computer that issued the SID. In fact, the SID for the domain is S-1-5-21-1534169462-1651380828-111620651, and all SIDs issued in that domain will start with that value and end with some unique RID for the user or computer they denote. In this case the SID ends with 500, which is a well-known RID denoting the built-in Administrator account. 501 is the well-known RID for the built-in Guest account and 502 is the well-known RID for the Kerberos Ticket Granting Ticket (krbtgt).
5 : SIDs are issued to log-on sessions to enable permissions to be granted to any application running in a specific log-on session. These SIDs have the first sub-authority set to 5, and take the form S-1-5-5-x-y.
6 : When a process logs on as a service it gets a special SID in its token to denote that.
This SID has the sub-authority 6, and is always S-1-5-6.
21 : SECURITY_NT_NON_UNIQUE. Denotes user and computer SIDs that are not guaranteed to be universally unique.
32 : SECURITY_BUILTIN_DOMAIN_RID. Denotes built-in SIDs. For example, the well-known SID for the built-in Administrators group is S-1-5-32-544.
80 : SECURITY_SERVICE_ID_BASE_RID. Denotes SIDs for services.
As mentioned earlier, services also have SIDs in Windows Vista and Windows Server 2008. Service SIDs always start with S-1-5-80 and end with a number of sub-authorities that are deterministic based on the name of the service. This means that a given service has the same SID on all computers. It also means that you can retrieve the SID for an arbitrary service even if it does not exist. For example, to see what the SID would be for the “foo” service, run the sc showsid command, as follows:
C:\>sc showsid foo
SERVICE SID: S-1-5-80-2639291829-767035215-3510963033-3734144485-3832470211
If you try this on one of your servers, you will come up with the same answer. If you would rather have the friendly name for the service, use NT SERVICE\foo.
When a developer writes a program for Windows, he often needs to know the SID of some security principal. Usually SIDs can be easily constructed if only the RID is known because it is just appended to the computer or domain SID, as in the case of the Administrator account. However, for convenience, it is often desirable to have a shorter and static form of some SIDs. To provide this, the security model used in Windows includes a significant number of well-known SIDs—SIDs that are always the same across all computers. A few universally well-known SIDs are the same on all operating systems using this security model. These are the SIDs that start with S-1-1, S-1-2, or S-1-3.
In addition, Windows NT has a significant number of well-known SIDs. S-1-5-32 is the wellknown SID for the built-in domain, for example. It can, in turn, be combined with a well-known RID to form a well-known SID for a particular account. For example, the SID for the built-in Administrators group, whether on a domain or on a stand-alone computer, is always S-1-5-32-544. In the case of built-in groups the domain-relative RIDs can be combined with S-1-5-32 to form a SID that is valid on any computer where that user or group is relevant. Other accounts are appended to the domain to form the complete SID. This is the case with Domain Admins, for example, which takes the well-known RID 512 to create a SID such as S-1-5-21-1534169462-1651380828-111620651-512.
Well-Known Domain-Relative RIDs
500 : Administrator
501 : Guest
502 : Krbtgt
512 : Domain Admins
513 : Domain Users
514 : Domain Guests
515 : Domain Computers
516 : Domain Controllers
544 : Built-In Administrators
545 : Built-In Users
546 : Built-In Guests
SIDs may look very complicated, but once you understand the structure, they become quite simple to decipher. With a little practice, you will easily be able to tell whether a SID refers to a service, a well-known principal, or a user in a domain.
Source of Information : Microsoft Press Windows Server 2008 Security Resource Kit