Final: Windows Security

Question 1

What is a SID?

Answer 1

Security Identifiers (SIDs)
- a numeric value that the OS uses to uniquely identify each user, group and computer
EX:
-S-1-5-21-1755044629-3020680732-3373738565-1287

Question 2

What is a RID?

Answer 2

Relative identifier (RID)
- RIDs uniquely distinguish one
user or group from another
EX:
- S-1-5-21-1755044629-3020680732-3373738565-1287
(Last 4 digits of the SID)

Question 3

How can I view the SID of the current user?

Answer 3

whoami /all

Question 4

Authority value for Null Authority

Answer 4

0
EX:
S-1-0-21-1755044629-3020680732-3373738565-1287

Question 5

Authority value for World Authority

Answer 5

1
EX:
S-1-1-21-1755044629-3020680732-3373738565-1287

Question 6

Authority value for Local Authority

Answer 6

2
EX:
S-1-2

Question 7

Authority value for Creator Authority

Answer 7

3
EX:
S-1-3

Question 8

Authority value for Non-Unique Authority

Answer 8

4
EX:
S-1-4-21-1755044629-3020680732-3373738565-1287

Question 9

Authority value for NT Authority

Answer 9

5
EX:
S-1-5
S-1-5-19

Question 10

Authority value for Resource Manager Authority

Answer 10

9
EX:
S-1-9-21-1755044629-3020680732-3373738565-1287

Question 11

Where are SIDs stored?

Answer 11

HKLM\SAM\SAM\Domains\Account

Question 12

When is a SID created?

Answer 12

At creation of that account

Question 13

How long do SIDs last?

Answer 13

For the life of the account

Question 14

Can a SID be reused?

Answer 14

No, each one will always be unique to that local computer or domain
One Use

Question 15

What is an Authority value in a SID?

Answer 15

the highest level of authority that can issue SIDs for a particular type of security principal

Question 16

What are the 5 components of a SID?

Answer 16

1) SID string indicator
2) revision level
3) Authority value
4) Sub-authority value
5) RID value

Question 17

Are RIDs ever reused?

Answer 17

No, not even after deletion of an account from that system

Question 18

Where are RIDs stored?

Answer 18

HKLM\SAM\SAM\Domains\Account

Question 19

Where to find next RID to be used?

Answer 19

in HKLM\SAM\SAM\Domains\Account, under the “F” value

Question 20

What is the RID for the built-in local administrator?

Answer 20

500

Question 21

What is the RID for the built in local guest?

Answer 21

501

Question 22

What is the domain admins group RID?

Answer 22

512

Question 23

What is the domain users group RID?

Answer 23

513

Question 24

What is the domain guest group RID?

Answer 24

514

Question 25

What is the RID of the built-in admins group?

Answer 25

544

Question 26

How do I get all the SIDs of the users on a system?

Answer 26

Get-CimInstance Win32_UserAccount | Select-Object Name,SID

Question 27

what is a user token?

Answer 27

(aka: access token, security token)
Value created at logon for a user, remains until session is closed. Contains user sid, sid of groups, & privileges. Cannot be modified.

Question 28

Can a token be modified?

Answer 28

No

Question 29

How long is a token active?

Answer 29

remains active for the duration of the user’s logon session

Question 30

If user has a privilege change, when will that reflect their token?

Answer 30

After next logon, when their new token is created

Question 31

What does the user token contain?

Answer 31

• The user’s SID
• The SIDs of any groups of which the user is a member
• The user’s privilege array

Question 32

What is a privilege array?

Answer 32

contains any privileges that have been granted to the user.
Privileges define a user’s rights on the system and are enforced by the specific
subsystem the privilege affects

Question 33

What is a privilege?

Answer 33

permission to perform an action

Question 34

Why would a user have a large access token?

Answer 34

The number of privileges that have been granted to a user affects the logical size of the user’s access token. The greater the number of privileges a user has, the larger the access token

Question 35

What does SeBackupPrivilege do?

Answer 35

Allows the user to perform backups to files and folder

Question 36

What does SeCreateTokenPrivilege do?

Answer 36

Permits the creation of a token

Question 37

What does SeImpersonatePrivilege do?

Answer 37

Allows the user to impersonate another user after logon

Question 37

What does SeDebugPrivilege do?

Answer 37

Required when running debugger programs

Question 38

What does SeLoadDriverPrivilege do?

Answer 38

Allows the user to load and unload device drivers

Question 39

What does SeRestorePrivilege do?

Answer 39

Allows the user to restore files and directories

Question 40

What does SeTakeOwnershipPrivilege do?

Answer 40

Permits the user to take ownership of files and other objects (grants the user the WRITE_DACL permission)

Question 41

What does SeTcbPrivilege do?

Answer 41

Allows the user, or process/thread running in the context of the user, to act as part of the OS

Question 42

What invokes the object access process?

Answer 42

User requests a specific type of access to an object, such as requesting to open a file with write access.