A. At the start of the GUI phase of installation each NT/2000
installation generates a unique Security IDentifier (SID). If
you then clone a workstation each installation would have the same machine SID.
This is not a problem in a Windows NT 4.0 domain as users have a SID generated
by the domain controller and do not user the local workstation SID for security. It IS a
problem in a Windows 2000 domain as the local machine SID is used in nearly all aspects
of security and before migrating to 2000 you should resolve any duplicate SID
issues which may have been caused by cloning installations.
Duplicate local SID's are also a very big security risk in Workgroups, lets
look further.
In a workgroup the user accounts are based on the local workstation SID plus
a relative identifier (RID), if all the workstations had the same SID then the
first account generated (and so forth) on each workstation is the same because
of the duplicate local SID. This makes it impossible to secure files and folders
on a user basis since different users will have the same SID and all security is
based on the user SID.
An example illustrates this best:
Two workstations, wstation1 and wstation2 deployed using cloning software
each have duplicated SID's.
User John on wstation1 has a local machine account on wstation1 of
S-1-5-34-148593445-285934854-2859284934-1010.
User Kevin on wstation2 has a local machine account on wstation1 of
S-1-5-34-148593445-285934854-2859284934-1010.
User John saves private work on an NTFS drive and creates a share called
private
that only he can access. If Kevin browses the network and attempts connection he
will have full access as his SID is identical to John's. There is no way to
differentiate between them. Expand this to 100 machines installed via
duplication all with the same local SID then you can see you have no security.
Any files stored on removable media with security would also be vulnerable.
Microsoft has a tool, SYSPREP, which can be used on a workstation system
BEFORE cloning which resolves the SID problem by generating a new SID when the
new cloned installations are started. SYSPREP is provided as standard in Windows
2000 and a version for 4.0 can be requested from Microsoft.
SYSPREP does have a few "problems" on Windows member servers as if
a server with several local accounts is cloned the SID of any extra accounts are
not updated, only the two primary accounts, Administrator and Guest are fixed. This
means other accounts would be left with the old SID and thus considered
orphaned.
Other SID fixing utilities are:
)
Register
Herzliche Grüsse,
Michael
steffen.kueppers@nfp.niedersachsen.de November 22, 2000