Share
Viewing 7 reply threads
  • Author
    Posts
    • #1554693
      Paolo Maffezzoli
      Participant
      Post count: 398
      Member Points: 38,045
      4sysops member of the year 2018Member of the Year 2019
      Rank: Level 4

      I ever considered Sysprep as  a must for a lot of reasons, but I still think about what Mark Russinovich (note: the NewSID creator) has written in the article “The Machine SID Duplication Myth (and Why Sysprep Matters) “.

      In particular the SID Duplication paragraph is the point to understand he consider SID duplcation not a critical issue.

      The reason that Microsoft doesn’t support systems modified in this way is that, unlike Sysprep, these tools don’t necessarily know about all the places where Windows stashes away references to the machine SID. The reliability and security of a system that has a mix of the old and new machine SID can’t be guaranteed.

      So is having multiple computers with the same machine SID a problem? The only way it would be is if Windows ever references the machine SIDs of other computers. For example, if when you connected to a remote system, the local machine SID was transmitted to the remote one and used in permissions checks, duplicate SIDs would pose a security problem because the remote system wouldn’t be able to distinguish the SID of the inbound remote account from a local account with the same SID (where the SIDs of both accounts have the same machine SID as their base and the same RID). However as we reviewed, Windows doesn’t allow you to authenticate to another computer using an account known only to the local computer. Instead, you have to specify credentials for either an account local to the remote system or to a Domain account for a Domain the remote computer trusts. The remote computer retrieves the SIDs for a local account from its own Security Accounts Database (SAM) and for a Domain account from the Active Directory database on a Domain Controller (DC). The remote computer never references the machine SID of the connecting computer.

      And the conclusion …

      In other words, it’s not the SID that ultimately gates access to a computer, but an account’s user name and password: simply knowing the SID of an account on a remote system doesn’t allow you access to the computer or any resources on it.

      What is your opinion about the SID duplication ?

      0
    • #1554694
      Steven
      Participant
      Post count: 21
      Member Points: 653
      Rank: Level 2

      May I ask, why would you have machines with the same SID in your network ? I am curious because I have never experienced that so I do not know the real impact that would cause.

      0
      • #1554696
        Leos Marek
        Moderator
        Post count: 133
        Member Points: 6,405
        Rank: Level 3

        Its quite common when you deploy machines with a template or do a disk clone. If you dont do sysprep you have the same SID. .)

        1+

        Users who have liked this topic:

        • avatar
    • #1554695
      Paolo Maffezzoli
      Participant
      Post count: 398
      Member Points: 38,045
      4sysops member of the year 2018Member of the Year 2019
      Rank: Level 4

      I’ve seen quite often clone a VM or physical computer without running a sysprep. In some cases a clone has been made with a cloning tool and the result is an identical copy, including the SID.

      0
    • #1554697
      Michael Pietroforte
      Keymaster
      Post count: 1852
      Member Points: 23,714
      Author of the year 2018
      Rank: Level 4

      I still remember when we first start cloning it was very unusual because everyone was working with unattended uninstallation. I think the tool we used was Ghost which was later bought by Symantec and we cloned Windows NT machines with it.

      Later, when Microsoft became aware of cloning tools they warned using them, telling everyone that unintended installations is a better technology. I guess the reason why they didn’t want admins clone machines was the SID problem. We did it anyway because it was lot faster than installing Windows. We never had any problems with SIDs.

      Later, Microsoft introduced sysprep because more and more admins figured that cloning was the way to go. Nowadays, I wouldn’t clone without sysprep. If problems come up, you always wonder if cloning caused it. Better follow the standard procedure if there is no significant advantage.

      0
      • #1554698
        Leos Marek
        Moderator
        Post count: 133
        Member Points: 6,405
        Rank: Level 3

        Yes Ghost was a very popular tool.

        0
    • #1554699
      Paolo Maffezzoli
      Participant
      Post count: 398
      Member Points: 38,045
      4sysops member of the year 2018Member of the Year 2019
      Rank: Level 4

      Mee too used the Ghost tool in the past without get any issues on the network. Cloning VM without sysprep is not usual for enterprise environment but it could be happen. But I realize that it is a controversial topic SID duplication for Microsoft.

      0
    • #1554701
      Leos Marek
      Moderator
      Post count: 133
      Member Points: 6,405
      Rank: Level 3

      In one of the companies I worked for recently they used to deploy VM templates without sysprep and there was never ever any issue… hehe

      0
    • #1554742
      Paolo Maffezzoli
      Participant
      Post count: 398
      Member Points: 38,045
      4sysops member of the year 2018Member of the Year 2019
      Rank: Level 4

      Sometimes in the real world duplication does not cause problems, but there are cases in which it can give problems and I think it is always better to avoid generating potential problems even if there is a possibility that something may go wrong.

      0
    • #1554743
      Paolo Maffezzoli
      Participant
      Post count: 398
      Member Points: 38,045
      4sysops member of the year 2018Member of the Year 2019
      Rank: Level 4

      BTW, digging in the Microsoft KBm another article to read about SID duplicate is Machine SIDs and Domain SIDs by Aaron Margosis (Microsoft).

      0
Viewing 7 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account