Windows Tools

SIDWalker Security Administration Tools

Overview | Notes | Syntax | Examples | Related Tools

This set of programs helps system administrators manage access-control policies on systems running Windows XP, Windows 2000, and Windows NT. The SIDWalker tools are designed to support a three-phase approach to modifying access control. Each phase of changing access control can take a day or longer to complete and verify, and requires significant amounts of system resources and administrator time. The phases are:

SIDWalker Components

ShowAccs

This command-line tool enables users to examine the access control lists (ACLs) on the registry, file system, and file and print shares, and to look at membership in local groups. ShowAccs command options support looking at specific areas of Windows 2000 and Windows XP (such as specific file-system directories) or examining the entire system.

The output file of ShowAccs is a comma-separated text file, called the access-profile file, that shows all the object-specific access rights on the system. The access-profile file can be reviewed and analyzed by using a text editor, or it can be imported into a spreadsheet or database management program.

ShowAccs also creates a mapping file that lists the security principals (users and groups) that show up somewhere in ACLs. The mapping file can be input to the Security Migration Editor Microsoft Management Console (MMC) snap-in for account mapping.

SIDWalk

This command-line tool takes a mapping file as input and scans all the access control lists in the registry, file system, file and print shares, and local group membership. SIDWalk uses the mapping information in the mapping file to either delete or replace every occurrence of an old security identifier (SID) with the corresponding new SID. The same mapping file can be used for SIDWalk conversion on multiple computers.

Security Migration Editor

The Security Migration Editor is a Microsoft Management Console (MMC) snap-in that provides a graphical user interface (GUI) for mapping old security identifiers (SIDs) listed in a mapping file created by ShowAccs to new security identifiers. The "migration" referred to is from old SIDs to corresponding new SIDs, which are mapped by selecting from the list of user and group accounts in target domains or computers. The snap-in also gives options to ignore or delete these SIDs as they show up in access-control lists (ACLs). The Security Migration Editor updates the mapping file, which is then used as input to SIDWalk.

Corresponding UI

There is no corresponding user interface for ShowAccs or SIDWalk. Security Migration Editor provides its own user interface.

Concepts

Access control is implemented by access control lists (ACLs). Every file in the NTFS file system and every registry key has a unique ACL, granting access rights to file resources to users and groups and defining what specific access rights each is granted. Each user and group is identified in the ACL by a security identifier (SID).

System Requirements

The SIDWalker tools have different system requirements.

ShowAccs Requirements

ShowAccs can be run as scheduled batch jobs. It must be run locally on the computer where the access permissions are to be changed. ShowAccs uses Windows NT security APIs (supported on Windows NT 4.0, Windows 2000, and Windows XP) to examine every access control list (ACL) on every object on the system. It is a CPU and I/O intensive program; plan to run it when system use is otherwise very light and expect significant resource use.

In Windows NT 4.0, ShowAccs requires Msvcrt50.dll, which is found in the \System32 directory of any Windows 2000 installation.

SIDWalk Requirements

SIDWalk can be run as scheduled batch jobs. It must be run locally on the computer where the access permissions are to be changed. SIDWalk uses Windows NT security APIs (supported on Windows NT 4.0, Windows 2000, and Windows XP) to examine every access control list (ACL) on every object on the system. It is a CPU and I/O intensive program; plan to run it when system use is otherwise very light and expect significant resource use.

Security Migration Editor Requirements

Security Migration Editor does not have to run on the same computer on which ShowAccs or SIDWalk runs. An administrator can schedule ShowAccs to run remotely on one server in the network, can transfer the resulting files to a local workstation for analysis and update using Security Migration Editor, and then can copy the mapping file back to one or more target systems and run SIDWalk on them.

Files Required