Security Incidents mailing list archives

RE: strange account in Win2k

From: "Kit" <kit () smallfoxx com>
Date: Tue, 28 May 2002 17:08:16 -0500

Basically, every domain upon creation has a unique SID.  Every account and
group within that domain has its own unique RID.  You get an individual
account's SID by combining the domain SID with the account's RID.
Therefore, if you create a completely new domain (even with the same name,
ip, etc) every account will have a new SID because the domain has a
different SID.

This causes a problem because many permissions in NT/2000 are associated
with the account SID rather than its textual name.  The good thing about
this is it allows you to change the name of the account without having to go
back and redo all the permissions.

Having unique SID's is also one of the main reasons to have mutliple DC's.
That way, in case one goes down, all the unique information is retained.

There's also a MSKB which points out the default accounts:
        http://support.microsoft.com/default.aspx?scid=kb;en-us;Q163846

-K

-----Original Message-----
From: Maxime Ducharme [mailto:maxime () pandore-design com]
Sent: Tuesday, May 28, 2002 3:01 PM
To: incidents () securityfocus com
Subject: Re: strange account in Win2k


Hi guys,
    I saw this thing when our domain controller crashed.

The admin replaced with a completly new domain controller
which had the same IP, name & config.

When workstation started to reconnect to this new domain
controller with old settings and SID, we saw this kind of account
appear almost on all workstations.

We didnt find any way of getting it back, we had to delete and
recreate all.

If someone happen to be able to explain what exactly happends
I'd like to read about it.

Tia & bye

Max


----- Original Message -----
From: "Admiraal, J.E. (CDIV)" <J.E.Admiraal () lumc nl>
To: "'Mark Fagan'" <Mark.Fagan () esat com>; <incidents () securityfocus com>
Sent: Tuesday, May 28, 2002 1:02 PM
Subject: RE: strange account in Win2k

These account ID's are usually domain accounts that are not (yet)

identified

by the local machine. It could also be an account that no longer is
recognised by the local machine.

We have the same occurrences here, but waiting for a bit usually clears up
everything to an understandable domain account ("domain\username ")



-----Original Message-----
From: Mark Fagan [mailto:Mark.Fagan () esat com]
Sent: dinsdag 28 mei 2002 17:30
To: incidents () securityfocus com
Subject: strange account in Win2k


While setting additional privileges on a Win2k webserver  I noticed that
certain privileges (logon as batch job, act as part of o/s, logon locally
and network) were applied to a very strange account -
*S-1-5-21-527237240-162531612-725345543-1008 which is not seen as a user
account. Any ideas folks ?

Mark Fagan
TDA
Esat Business
1 Grand Canal Quay
Dublin 2, Ireland.
E mark.fagan () esat com
www.esatbusiness.com





************************************************************************
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.

http://www.esatbusiness.com

Subscribe to the Esat Business Online Magazine:
http://www.esatbusiness.com/news/subscribe.asp

Subscribe to REALISE - the online magazine from BT Ignite:
http://www.btignite.com/realise

************************************************************************


--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

strange account in Win2k Mark Fagan (May 28)
- RE: strange account in Win2k AJ Decker (May 28)
- RE: strange account in Win2k Rick Darsey (May 28)
- Re: strange account in Win2k Dan Cuthbert (May 28)
  - Re: strange account in Win2k Kevin (May 28)
- <Possible follow-ups>
- RE: strange account in Win2k Admiraal, J.E. (CDIV) (May 28)
  - Re: strange account in Win2k Maxime Ducharme (May 28)
    - RE: strange account in Win2k Kit (May 28)
- RE: strange account in Win2k dlaumann (May 28)
- RE: strange account in Win2k Mark Fagan (May 29)