Security Incidents mailing list archives

RE: strange account in Win2k

From: dlaumann () suntzu net
Date: Tue, 28 May 2002 17:36:52 -0500

you can inspect the registry key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion \ProfileList\<SID> for perhaps more information,
specifically the key 'profileimagepath'.

this may be more info than you wanted but:
S-1-5-21-527237240-162531612-725345543-1008
s - indicates the value is a sid structure.
1 - indicates the revision level of the sid structure.
5 - indicates the authority that issued the sid where 5 refers to "nt"
possible values are:
 null sid       0       S-1-0
 world sid      1       S-1-1
 local sid      2       S-1-2
 creator sid    3       S-1-3
 non unique     4       S-1-4
 nt             5       S-1-5
21 - indicates the sub authority domain identifier of the sid where 21
refers to nt (non unique).
possible values are:
 dialup         1       S-1-5-1
 network        2       S-1-5-2
 batch          3       S-1-5-3
 interactive    4       S-1-5-4
 logon ids      5       S-1-5-5
 service        6       S-1-5-6
 anonymous      7       S-1-5-7
 proxy          8       S-1-5-8
 enterprise     9       S-1-5-9
 principal self 10      S-1-5-10
 authenticated  11      S-1-5-11
 restricted     12      S-1-5-12
 terminal serv  13      S-1-5-13
 local sys      18      S-1-5-18
 ntnonuniq      21      S-1-5-21
 builtindomain  32      S-1-5-32
527237240-162531612-725345543 - the 3 32 bit values comprise up the machine
id.
1008 - indicates relative id.

some well known sids are:
Built-In Users
DOMAINNAME\ADMINISTRATOR        S-1-5-21-527237240-162531612-725345543-500
DOMAINNAME\GUEST
S-1-5-21-527237240-162531612-725345543-501

Built-In Global Groups
DOMAINNAME\DOMAIN ADMINS        S-1-5-21-527237240-162531612-725345543-512
DOMAINNAME\DOMAIN USERS S-1-5-21-527237240-162531612-725345543-513
DOMAINNAME\DOMAIN GUESTS        S-1-5-21-527237240-162531612-725345543-514

Built-In Local Groups
BUILTIN\ADMINISTRATORS          S-1-5-32-544
BUILTIN\USERS                           S-1-5-32-545
BUILTIN\GUESTS                          S-1-5-32-546
BUILTIN\ACCOUNT OPERATORS       S-1-5-32-548
BUILTIN\SERVER OPERATORS                S-1-5-32-549
BUILTIN\PRINT OPERATORS         S-1-5-32-550
BUILTIN\BACKUP OPERATORS                S-1-5-32-551
BUILTIN\REPLICATOR                      S-1-5-32-552

Special Groups
\CREATOR OWNER                          S-1-3-0
\EVERYONE                                       S-1-1-0
NT AUTHORITY\NETWORK            S-1-5-2
NT AUTHORITY\INTERACTIVE                S-1-5-4
NT AUTHORITY\SYSTEM                     S-1-5-18
NT AUTHORITY\authenticated users        S-1-5-11

While setting additional privileges on a Win2k web server  I 
noticed that
certain privileges (logon as batch job, act as part of o/s, 
logon locally
and network) were applied to a very strange account -
*S-1-5-21-527237240-162531612-725345543-1008 which is not 
seen as a user
account. Any ideas folks ?


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

strange account in Win2k Mark Fagan (May 28)
- RE: strange account in Win2k AJ Decker (May 28)
- RE: strange account in Win2k Rick Darsey (May 28)
- Re: strange account in Win2k Dan Cuthbert (May 28)
  - Re: strange account in Win2k Kevin (May 28)
- <Possible follow-ups>
- RE: strange account in Win2k Admiraal, J.E. (CDIV) (May 28)
  - Re: strange account in Win2k Maxime Ducharme (May 28)
    - RE: strange account in Win2k Kit (May 28)
- RE: strange account in Win2k dlaumann (May 28)
- RE: strange account in Win2k Mark Fagan (May 29)