RE: strange account in Win2k

From: dlaumann@suntzu.net
Date: 05/29/02 

From: dlaumann@suntzu.net
To: incidents@securityfocus.com
Date: Tue, 28 May 2002 17:36:52 -0500

you can inspect the registry key HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion \ProfileList\<SID> for perhaps more information,
specifically the key 'profileimagepath'.

this may be more info than you wanted but:
S-1-5-21-527237240-162531612-725345543-1008
s - indicates the value is a sid structure.
1 - indicates the revision level of the sid structure.
5 - indicates the authority that issued the sid where 5 refers to "nt"
possible values are:
 null sid 0 S-1-0
 world sid 1 S-1-1
 local sid 2 S-1-2
 creator sid 3 S-1-3
 non unique 4 S-1-4
 nt 5 S-1-5
21 - indicates the sub authority domain identifier of the sid where 21
refers to nt (non unique).
possible values are:
 dialup 1 S-1-5-1
 network 2 S-1-5-2
 batch 3 S-1-5-3
 interactive 4 S-1-5-4
 logon ids 5 S-1-5-5
 service 6 S-1-5-6
 anonymous 7 S-1-5-7
 proxy 8 S-1-5-8
 enterprise 9 S-1-5-9
 principal self 10 S-1-5-10
 authenticated 11 S-1-5-11
 restricted 12 S-1-5-12
 terminal serv 13 S-1-5-13
 local sys 18 S-1-5-18
 ntnonuniq 21 S-1-5-21
 builtindomain 32 S-1-5-32
527237240-162531612-725345543 - the 3 32 bit values comprise up the machine
id.
1008 - indicates relative id.

some well known sids are:
Built-In Users
DOMAINNAME\ADMINISTRATOR S-1-5-21-527237240-162531612-725345543-500
DOMAINNAME\GUEST
S-1-5-21-527237240-162531612-725345543-501

Built-In Global Groups
DOMAINNAME\DOMAIN ADMINS S-1-5-21-527237240-162531612-725345543-512
DOMAINNAME\DOMAIN USERS S-1-5-21-527237240-162531612-725345543-513
DOMAINNAME\DOMAIN GUESTS S-1-5-21-527237240-162531612-725345543-514

Built-In Local Groups
BUILTIN\ADMINISTRATORS S-1-5-32-544
BUILTIN\USERS S-1-5-32-545
BUILTIN\GUESTS S-1-5-32-546
BUILTIN\ACCOUNT OPERATORS S-1-5-32-548
BUILTIN\SERVER OPERATORS S-1-5-32-549
BUILTIN\PRINT OPERATORS S-1-5-32-550
BUILTIN\BACKUP OPERATORS S-1-5-32-551
BUILTIN\REPLICATOR S-1-5-32-552

Special Groups
\CREATOR OWNER S-1-3-0
\EVERYONE S-1-1-0
NT AUTHORITY\NETWORK S-1-5-2
NT AUTHORITY\INTERACTIVE S-1-5-4
NT AUTHORITY\SYSTEM S-1-5-18
NT AUTHORITY\authenticated users S-1-5-11

> While setting additional privileges on a Win2k web server I
> noticed that
> certain privileges (logon as batch job, act as part of o/s,
> logon locally
> and network) were applied to a very strange account -
> *S-1-5-21-527237240-162531612-725345543-1008 which is not
> seen as a user
> account. Any ideas folks ?

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Quantcast