- Fri, Jan 24 2020 at 3:49 am #1554693
I ever considered Sysprep as a must for a lot of reasons, but I still think about what Mark Russinovich (note: the NewSID creator) has written in the article “The Machine SID Duplication Myth (and Why Sysprep Matters) “.
In particular the SID Duplication paragraph is the point to understand he consider SID duplcation not a critical issue.
The reason that Microsoft doesn’t support systems modified in this way is that, unlike Sysprep, these tools don’t necessarily know about all the places where Windows stashes away references to the machine SID. The reliability and security of a system that has a mix of the old and new machine SID can’t be guaranteed.
So is having multiple computers with the same machine SID a problem? The only way it would be is if Windows ever references the machine SIDs of other computers. For example, if when you connected to a remote system, the local machine SID was transmitted to the remote one and used in permissions checks, duplicate SIDs would pose a security problem because the remote system wouldn’t be able to distinguish the SID of the inbound remote account from a local account with the same SID (where the SIDs of both accounts have the same machine SID as their base and the same RID). However as we reviewed, Windows doesn’t allow you to authenticate to another computer using an account known only to the local computer. Instead, you have to specify credentials for either an account local to the remote system or to a Domain account for a Domain the remote computer trusts. The remote computer retrieves the SIDs for a local account from its own Security Accounts Database (SAM) and for a Domain account from the Active Directory database on a Domain Controller (DC). The remote computer never references the machine SID of the connecting computer.
And the conclusion …
In other words, it’s not the SID that ultimately gates access to a computer, but an account’s user name and password: simply knowing the SID of an account on a remote system doesn’t allow you access to the computer or any resources on it.
What is your opinion about the SID duplication ?0
- Fri, Jan 24 2020 at 5:19 am #1554694StevenParticipantPost count: 21Member Points: 653Rank: Level 2
May I ask, why would you have machines with the same SID in your network ? I am curious because I have never experienced that so I do not know the real impact that would cause.0
- Fri, Jan 24 2020 at 5:47 am #1554696
- Fri, Jan 24 2020 at 5:27 am #1554695
I’ve seen quite often clone a VM or physical computer without running a sysprep. In some cases a clone has been made with a cloning tool and the result is an identical copy, including the SID.0
- Fri, Jan 24 2020 at 5:53 am #1554697Michael PietroforteKeymasterPost count: 1852Member Points: 23,714Rank: Level 4
I still remember when we first start cloning it was very unusual because everyone was working with unattended uninstallation. I think the tool we used was Ghost which was later bought by Symantec and we cloned Windows NT machines with it.
Later, when Microsoft became aware of cloning tools they warned using them, telling everyone that unintended installations is a better technology. I guess the reason why they didn’t want admins clone machines was the SID problem. We did it anyway because it was lot faster than installing Windows. We never had any problems with SIDs.
Later, Microsoft introduced sysprep because more and more admins figured that cloning was the way to go. Nowadays, I wouldn’t clone without sysprep. If problems come up, you always wonder if cloning caused it. Better follow the standard procedure if there is no significant advantage.0
- Fri, Jan 24 2020 at 5:56 am #1554698
Yes Ghost was a very popular tool.0
- Fri, Jan 24 2020 at 6:21 am #1554699
Mee too used the Ghost tool in the past without get any issues on the network. Cloning VM without sysprep is not usual for enterprise environment but it could be happen. But I realize that it is a controversial topic SID duplication for Microsoft.0
- Sat, Jan 25 2020 at 10:29 am #1554701
In one of the companies I worked for recently they used to deploy VM templates without sysprep and there was never ever any issue… hehe0
- Mon, Jan 27 2020 at 4:28 am #1554742
Sometimes in the real world duplication does not cause problems, but there are cases in which it can give problems and I think it is always better to avoid generating potential problems even if there is a possibility that something may go wrong.0
- Mon, Jan 27 2020 at 4:30 am #1554743
- You must be logged in to reply to this topic.