You??™ve seen the SID of the Administrators and Users groups and how the
presence of those SIDs in the token changes the privileges present and the access
granted. You??™ve seen the LocalSystem SID. Let??™s discuss several other SIDs that might trip
you up.
Everyone
Is the SID for the Everyone group really in every single token? It actually depends. The registry
value HKLM\SYSTEM\CurrentControlSet\Control\Lsa\everyoneincludesanonymous
can be either 0 or 1. Windows 2000 included the anonymous user in the Everyone
group, while XP, Windows Server 2003, and Vista do not. So on post-Win2K systems,
processes that make null IPC$ connections and anonymous website visits do not have
the Everyone group in their access token.
Authenticated Users
The SID of the Authenticated Users group is present for any process whose owner
authenticated onto the machine. This makes it effectively the same as the Windows XP
and Windows Server 2003 ???Everyone??? group, except that it doesn??™t contain the Guest
account.
Authentication SIDs
In attacking Windows Access Control, you might see access granted or denied based on
the authentication SID. Some common authentication SIDs are INTERACTIVE,
REMOTE INTERACTIVE, NETWORK, SERVICE, and BATCH.
Pages:
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725