Windows 7 / Networking

Understanding Service SIDs

Service SIDs are of the form S-1-5-80-{SHA1 hash of short service name} and complement the existing set of user, group, machine, and special SIDs used by previous versions of Windows. Service SIDs are secondary SIDs that are added to the SIDs list of the service process token when the SCM starts the service. The primary SID for a service is the built-in identity (LocalService, NetworkService, or LocalSystem) under which the service runs.

To have a service SID added to its token, the service must first opt in to doing so. Opt in is normally done by the operating system or application when the service is started. Administrators can manually opt in user-mode services by using the sc sidtype command, which can configure the service SID as either RESTRICTED, UNRESTRICTED, or NONE. For example, sc sidtype service_name restricted will add the service SID for the service to its service process token and also make it a write-restricted token. This means, for example, that any registry key used by the service must be explicitly assigned permissions to allow the service to access it. On the other hand, sc sidtype service_name unrestricted adds the SID of the service so that access check operations requesting that SID on the service token will succeed. Finally, sc sidtype service_name none does not include any SID in the token. For more information, type sc sidtype ? at a command prompt.

Note To query the SID type of a service, you can use the sc qsidtype command.

Some services in Windows Vista and later versions ship out of box as UNRESTRICTED, and most services will fail to start if changed to RESTRICTED. Third-party applications, such as antivirus software, can be designed to opt in to having service SIDs and can be designed to run either RESTRICTED or UNRESTRICTED. If the local administrator changes an existing service SID type from NONE to UNRESTRICTED, she gets the service having SID type with probably zero regression or issues with this service. (A SID type of UNRESTRICTED is sufficient for network traffic filtering.)

Note The service SIDs of all the configured services per process are always present in the process. Only the running services have their SIDs enabled; the SIDS of non-running services are there, but in a disabled state. However, the filtering platform considers all SIDs to be activated, regardless of whether the service is in a disabled state.

[Previous] [Contents] [Next]

In this tutorial:

  1. Configuring Windows Firewall and IPsec
  2. Understanding Windows Firewall with Advanced Security
  3. Improvements to Windows Firewall Introduced Previously in Windows Vista
  4. Additional Improvements to Windows Firewall in Windows 7
  5. Understanding the Windows Filtering Platform
  6. Windows Firewall and the Startup Process
  7. Understanding Windows Service Hardening
  8. Understanding Service SIDs
  9. Windows Firewall and WSH
  10. Windows Firewall and Service Triggers
  11. Understanding Multiple Active Firewall Profiles
  12. Understanding Rules
  13. Understanding Firewall Rules
  14. Inbound vs . Outbound Rules
  15. Allow vs . Block Rules
  16. Allow If Secure Rules
  17. Authenticated Bypass Rules
  18. Filtering Conditions FOR Firewall RULES
  19. Understanding Connection Security Rules
  20. Types of Connection Security Rules
  21. Supported IPsec Settings for Connection Security Rules
  22. Default IPsec Settings for Connection Security Rules
  23. Windows Firewall and Windows PE
  24. Understanding Default Rules
  25. Understanding WSH Rules
  26. Understanding Rules Processing
  27. Managing Windows Firewall with Advanced Security
  28. Tools for Managing Windows Firewall with Advanced Security
  29. Managing Windows Firewall Using Control Panel
  30. Managing Windows Firewall Using the Windows Firewall with Advanced Security Snap-in
  31. Managing Windows Firewall Using Group Policy
  32. Considerations When Managing Windows Firewall Using Group Policy
  33. Managing Windows Firewall Using the Netsh Command
  34. Common Management Tasks
  35. Enabling or Disabling Windows Firewall
  36. Configuring Firewall Profiles and IPsec Settings by Using Group Policy
  37. Creating and Configuring Firewall Rules
  38. Creating and Configuring Connection Security Rules
  39. Monitoring Windows Firewall
  40. Troubleshooting Windows Firewall
  41. Troubleshooting Windows Firewall Using Firewall Logs
  42. Troubleshooting Windows Firewall Using Event Logs
  43. Troubleshooting Windows Firewall Using Auditing
  44. Troubleshooting IPsec Issues Using Netsh Wfp
  45. Troubleshooting Windows Filtering Platform and IPsec Issues Using Netsh Trace