WhoamI? An introduction to Windows NT Security

[Maestr0]

This is a quick tut for the NT noob who wants to start at the ground floor.

An introduction to Windows NT Security
Part I: Security Principals & Access Tokens

First of all what is a security principal? Well, in the Windows NT operating system line, a security principal is how the system organizes and identifies computers, groups and accounts and are the building block of Windows security. Usually these principals are referred to by their name, or Universal Principal Name(UPN), the operating system however uses a different method which will be discussed here. In this tutorial the console command utility “WHOAMI.EXE” will be used to examine security principals close up. (Whoami is available from Microsoft here ).Whoami is similar to its Unix counterpart but has added functionality for the NT environment, it will display some of the information from the “access token” that was assigned to the current user account at log in. For a complete list of options enter “whoami /HELP” at a command prompt. Here is an example of whoami output using the “/ALL” option:
[User] = "WIN2KBOX\Administrator" S-1-5-21-1960408961-842925246-854245398-500

[Group 1] = "WIN2KBOX\None" S-1-5-21-1960408961-842925246-854245398-513
[Group 2] = "Everyone" S-1-1-0
[Group 3] = "BUILTIN\Administrators" S-1-5-32-544
[Group 4] = "BUILTIN\Users" S-1-5-32-545
[Group 5] = "NT AUTHORITY\INTERACTIVE" S-1-5-4
[Group 6] = "NT AUTHORITY\Authenticated Users" S-1-5-11
[Group 7] = "LOCAL" S-1-2-0


(X) SeChangeNotifyPrivilege = Bypass traverse checking
(O) SeSecurityPrivilege = Manage auditing and security log
(O) SeBackupPrivilege = Back up files and directories
(O) SeRestorePrivilege = Restore files and directories
(O) SeSystemtimePrivilege = Change the system time
(O) SeShutdownPrivilege = Shut down the system
(O) SeRemoteShutdownPrivilege = Force shutdown from a remote system
(O) SeTakeOwnershipPrivilege = Take ownership of files or other objects
(O) SeDebugPrivilege = Debug programs
(O) SeSystemEnvironmentPrivilege = Modify firmware environment values
(O) SeSystemProfilePrivilege = Profile system performance
(O) SeProfileSingleProcessPrivilege = Profile single process
(O) SeIncreaseBasePriorityPrivilege = Increase scheduling priority
(X) SeLoadDriverPrivilege = Load and unload device drivers
(O) SeCreatePagefilePrivilege = Create a pagefile
(O) SeIncreaseQuotaPrivilege = Increase quotas
(X) SeUndockPrivilege = Remove computer from docking station
(X) SeImpersonatePrivilege = Impersonate a client after authentication
(X) SeCreateGlobalPrivilege = Create global objects


This access token is created whenever a user successfully logs on and is attached to all threads and processes initiated by the user. The system can then use this token to determine what authority the user has when attempting to perform any operations. Lets take a look at each part of the access token. Here is the first part of the acess token:

[User] = "WIN2KBOX\Administrator" S-1-5-21-1960408961-842925246-854245398-500

The first field is the principal account, in this case a user (administrator). The second part is the UPN followed by a third, the Security Identifier or SID, which the system uses internally to reference the principal. A SID is actually a combination of four parts used to uniquely identify the account and is issued either by the local authority or the domain authority depending on whether the account is local or belongs to a domain, the SID for a security principal is created by combining the domain identifier with the relative identifier of the account. Before we go any further lets take a closer look at SIDs. The first value in a SID is the revision. In the above example the revision number is 1 which is the current revision in use by Windows NT,2000 and Windows XP. The second value is the identifier authority. The identifier authority is the highest level of authority which is able to create a SID for this type of principal, in this example '5', which stands for the NT Authority. The next value can be one or more additional subauthorities, which make up the domain identifier in a SID. The domain identifier is associated with a domain and the final value is the relative identifier or RID, this identifier is associated with an account or group within the domain(or locally if its a local account). Here that value is 500 which is the administrator.
The next part of our access token is the groups we are in and have attached their SIDs to our access token. There are many lists available for Well-Known SIDs which are default accounts or groups created during install, these include guest accounts and many others. You can find these Well-Known SID’s as well as other identifiers here . The final section is a list of rights granted to the account or granted by group membership.That's all for this one, hope someone enjoys.

-Maestr0

[manicchester]

Thanks for the info....I certainly don't mind hearing some more information about NT since I haven't really used it much...

[AZL]

Here is an example of whoami output using the “/ALL” option:
[User] = "WIN2KBOX\Administrator" S-1-5-21-1960408961-842925246-854245398-500

sounds interesting, but looks like result in linux is "more readable" than windows.