3 Sep
2000
3 Sep
'00
3:52 p.m.
Cameron Kaiser <spectre(a)stockholm.ptloma.edu> wrote:
No, the SID (as I recall from my guilty little store
of NT data) is
generated off hardware to prevent someone from simply putting the name of a
trusted host on an NT machine and entering it into the NT domain. If the
SID doesn't match, the machine isn't granted entrance. Therefore, it would
have to be have been assigned *before* it is connected to the network, and
according to our local MCSE, it's totally intrinsic to the machine's
hardware.
The SID may be seeded from the Ethernet MAC address or something, but it
isn't really tied to the machine. I've replaced Ethernet cards on NT
boxes with no problems.
But the SID is supposed to be a "secret" shared between the client and
the server. If someone else gets hold of the SID, they can masquerade
as the client and have whatever security privs that client had.