Windows admin notes
Some fragmented windows-related notes (mostly admin stuff)
Windows notes - health and statistics| Special windows variables · special windows folders Troubleshooting when windows spontaneously reboots Making your windows installation smaller something taking 100% CPU on windows TODO: Cleanup |
SIDs
Security IDentifiers (SIDs) identify users, groups, accounts, and also domains themselves.
...not usernames, though SIDs are usually shown as names whenever possible .
This allows everyone within a domain to have unique identities. Mote that uniqueness is only possible within domains (and since Win2000 in forests).
Windowses not part of a domain generate their own SIDs when new accounts are created (seemingly randomly, so even two different windows installations on the same computer will generate different SIDs).
A SID is a variable-length identifier. It must contain:
- a top-level identifier authority, and
- one or more relative identifiers (RID). (up to eight(verify))
RIDs allow you to
- refer to things in the context of the issuer,
- refer to things in the context of the RIDs that come before.
RIDs are 32-bit integers, and may be stored as such in the structs in memory that represent SIDs.
SIDs are often shown as strings, in which the RIDs are shown in radix 10.
Here's some of the more interesting RIDs. Note that most things without domain identifiers are virtual groups - placeholders that qualify users, or not.
- S-1-5 is the 'NT authority', which contains
- A good number of system-related and useful pre-defined SIDs (a number of which are placeholders). Includes 'Administrators' group, Guest user, guest group, network/dialup logins, interactive logins, anonymous logins, print/backup/duplication operators, and also references to the SIDs of domain members/clients, and domain controllers. Some of the more interesting ones:
- S-1-5-32-544: 'Administrators' group
- S-1-5-32-545: 'Users' group
- Domain SIDs (RIDs under S-1-5-21 -- or more?, possibly up to S-1-5-31?(verify)), currently 96-bit numbers (3 RIDs), e.g. S-1-5-21-3082338359-1506123309-1605093288
- User accounts in a domain, e.g. S-1-5-21-3082338359-1506123309-1605093288-3008
- Pre-set users per domain, like S-1-5-domain-500: domain's Administrator - you can identify the administrator by that 500 even if the name has been changed.
- A good number of system-related and useful pre-defined SIDs (a number of which are placeholders). Includes 'Administrators' group, Guest user, guest group, network/dialup logins, interactive logins, anonymous logins, print/backup/duplication operators, and also references to the SIDs of domain members/clients, and domain controllers. Some of the more interesting ones:
Other notes conflict, noting that Domain SIDs are S-1-5-5-X-Y, where X is the 'domain RID' and S-1-5-5-X the domain SID - and Y is a number that helps domains with multiple PDCs work. TODO: figure that out.
- S-1-0 is the 'null authority'
- mostly for S-1-0-0, 'Nobody'
- S-1-1 is the 'world authority'
- mostly for S-1-1-0, 'Everybody', a.k.a. 'World'
- S-1-2 is the 'local authority'
- mostly for S-1-2-0, 'Local'
- S-1-3 is the 'creator authority', placeholders that qualify the actual creator:
- S-1-3-0: creator user
- S-1-3-1: creator group
- (S-1-3-2: creator owner server, S-1-3-2: creator group server, obsolete?(verify))
Less used are:
- S-1-4 is the 'non-unique authority'
- S-1-9 is the 'resource manage authority'
See also:
- http://support.microsoft.com/kb/243330
- http://msdn2.microsoft.com/en-us/library/aa379650.aspx
- https://system32.eventsentry.com/codes/field/Well-known%20Security%20Identifiers%20(SIDs)
Windows connection limits
Errors like:
- (EventID 4226) TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
- (EventID 2022) The server was unable to find a free connection number times in the last number seconds.
...seen in the Event Log (System log).
The cause is one of various windows limits:
- total inbound connections (any state?(verify))
- 5 per second for WinXP home
- 10 per second for WinXP pro, NT workstation
These are mostly settings, although most are baked into drivers for specific windows variations.
Rate limits are handled via a queue that is handled according to this rate. If your real usage is above this limit, e.g. a file server with more clients, then these imposed limits may make your services and the host in general seem unresponsive or have spurious dropouts (as it is likely to lead to one of various TCP timeouts on the client side of a connection to this host).
Things that run into such limits:
- port scanners (and some other security tools)
- malware
- basic personal file sharing on a medium-size network
- peer to peer networking, most commonly peer to peer file exchange
- on occasion, personal security tools (e.g. firewalls)
The outgoing limit seems to be justified by MS as a means to limit the speed of malware spreads. This seems relative nonsense since the spread will be exponential regardless of any local limit, and a user isn't actually notified so will likely be infected long enough to play a real part such distribution.
That said, there are other, sensible reasons for this limit .
See also:
- http://support.microsoft.com/kb/961654
- http://support.microsoft.com/kb/122920
- http://support.microsoft.com/kb/314882
- http://research.eeye.com/html/tools/RT20060808-1.html
- http://www.mydigitallife.info/2007/07/17/tcpip-has-reached-the-security-limit-imposed-on-the-number-of-concurrent-tcp-connect-attempts-error-on-windows-vista/
- http://support.microsoft.com/kb/822219
Software Protection Service
Home, Work, Public, Private, Domain networks
The distinction of Public, Work, and Private seems mostly used in windows firewall.
The distinction seems to be about
- network discovery and file sharing
- Firewall rules can choose to apply only on domain, private, and/or public situations.
Firewall:
The windows firewall itself has the distinction of profiles:
- Domain - if joined to a domain, and currently on its network
- (If not joined to a domain, we can only be either private or public)
- as restrictive as this domain's admins like it to be for security / functionality
- Private - on a network not associated with the account
- en environment more known than public
- e.g. your home network
- e.g. a domain we know but are not currently joined to (you can be member of one at a time)
- e.g. discoverability and sharing are enabled
- Public - connected through on
- generally most restrictive, because these are unknown environments
- e.g. discoverability and sharing are disabled
Profiles:
Discovery and file sharing settings can be set per such profile (see "Advanced sharing settings"), and by default are:
- Private allows discoverability, and enables homegroup for file sharing
- Work counts as a variant of private, which allows discoverability but not homegroup sharing
- Public does not allow either
See also:
- https://www.howtogeek.com/245982/whats-the-difference-between-private-and-public-networks-in-windows/
- http://www.thewindowsclub.com/network-location-public-private