The SID debate: To Sysprep or not to Sysprep
The conventional wisdom is that third-party tools leave duplicate SIDs across PCs that create serious security holes. The conventional wisdom is wrong
Follow @JPBruzzeseAnyone in IT who sets up computers knows Sysprep, which strips the computer-specific information from a base system before cloning or imaging (duplicating) that system. That way, you can create a customized image to use over and over again. Although Microsoft does not provide support for computers set up with tools other than Sysprep, the reality is that many system administrators don't use it, due to the difficulties of working with an answer file, which is required to respond to machine-specific questions that arise when the imaged PC is booted and its individual attributes need to be loaded.
Instead, admins often choose third-party prep tools that work with their imaging product. For example, if you use Symantec's Norton Ghost to image your PCs, you'd likely use Symantec's Ghost Walker to change the SID and prep the machine for imaging.
[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]
But these third-party applications will change the SID in most -- but not all -- locations because they don't know where all the SIDs are buried in the OS. The result: a PC with two SIDs, one that's unique to that PC and another that's shared by all PCs (the SID from the default image that didn't get changed on each PC). That explains why Microsoft's support extends to PCs imaged with its own Sysprep tool.
But is having multiple PCs with the same SID really a problem?
An experienced administrator will say "absolutely!" and describe all sorts of scenarios in which the existence of two systems with the same SID could create a black hole that swallows up the planet. They've taken on faith what we all have accepted for years: Duplicate SIDs are the highest form of evil.
Even Mark Russinovich, a software engineer and author who works for Microsoft as a technical fellow, believed that multiple machines with the same SID on the same network would pose a security risk. In fact, he created a tool in 1997 called NewSID (aka NTSID) that fixed the problem post-imaging. If you had a cloned or imaged system and needed to change the SID, you would run the NewSID tool and save yourself from security breaches of epic proportions.
But oddly, NewSID has been retired. Certainly, Russinovich is a busy fellow, so maybe he couldn't keep up with tool development, but surely someone else would have stepped in, given the reputed dangers of duplicate SIDs on the network.
