Focus on Microsoft
Back to list
Jul 21 2008 09:50PM
Randhir Vayalambrone (vayalambrones yahoo com)
Jul 22 2008 04:26AM
Red Cat (redcat9876 gmail com)
Thanks a lot for the comments so far. I'm starting to grasp the basic
idea of SID's and AD. But now my question is, why does that user,
"None" or that SID S-1-5-21... appear only for this specific folder?
I'm almost 100% positive it has nothing to do with past accounts
because I've never deleted any to my knowledge. Why does it show up
now and only for this specific folder? The only thing different I can
think of is that this folder was created from a tarball using Cygwin.
(The tarball was downloaded from John the Ripper)... Does that have
anything to do with it? Is Cygwin or John the Ripper burrowing into my
system? Is that why it's coming up? Should I delete it? (I thought
John the Ripper was safe enough...) Once again, thanks for all the
great comments and thanks in advance.
On Mon, Jul 21, 2008 at 2:50 PM, Randhir Vayalambrone
<vayalambrones (at) yahoo (dot) com [email concealed]> wrote:
> computername\none is a special group (hidden in the local users/groups mmc; try creating a user or a group named None on Windows, it will fail with an error group exists). None equates to the domain users in AD.
> Read Keith Brown's "Programming Windows Security" (if it is still available) to understand the internals of Windows security.
> Randhir Vayalambrone
> ----- Original Message ----
> From: Charles Hardin <fonestorm (at) gmail (dot) com [email concealed]>
> To: Erik Boles <eboles (at) mxlogic (dot) com [email concealed]>
> Cc: Dennis Li <dennis.li.sh (at) gmail (dot) com [email concealed]>; Red Cat <redcat9876 (at) gmail (dot) com [email concealed]>; "focus-ms (at) securityfocus (dot) com [email concealed]" <focus-ms (at) securityfocus (dot) com [email concealed]>
> Sent: Monday, 21 July, 2008 7:50:52 PM
> Subject: Re: S-1-5-21...
> You guys are missing the part that he said its COMPUTERNAME\none. This
> means its a local account, nothing to do with AD. Im not that familiar
> with vista users but I would not be suprised if this was some sort of
> system generated account.
> Charles Hardin
> On Mon, Jul 21, 2008 at 2:37 PM, Erik Boles <eboles (at) mxlogic (dot) com [email concealed]> wrote:
>> Also -- if the user is deleted from A-D that had access to that folder it will show the SID rather than the name of the user as that container for the user still exists, it just doesn't have a name any longer.
>> -----Original Message-----
>> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Dennis Li
>> Sent: Monday, July 21, 2008 11:30 AM
>> To: Red Cat
>> Cc: focus-ms (at) securityfocus (dot) com [email concealed]
>> Subject: Re: S-1-5-21...
>> Normal, the user like 'S-1-5....' is a domain account. After your
>> computer is added into a domain (AD), the administrator account of the
>> domain is added to your local administrators group automatically. And
>> when you browse the security property of the folder, OS will query the
>> real name of that domain user. Before the query is done, you'll see
>> the name is 'S-x-x-xxx'.
>> On Tue, Jul 22, 2008 at 12:56 AM, Red Cat <redcat9876 (at) gmail (dot) com [email concealed]> wrote:
>>> I have a question on something I saw on my computer today. I'm on a
>>> Windows Vista. I was looking at some of the "properties" of some
>>> folders in my "Public" folder and clicked on the "Security" tab. Then
>>> I noticed my usual login user, "Everyone", and one other user, whose
>>> id seemed to be S-1-5-21...and some numbers. Then after a couple
>>> moments it turned into the user, "None" with (My computer name\None)
>>> right next to it. I looked at the permissions it was given and
>>> apparently it was given "Special Permissions." I was pretty sure I
>>> didn't and never had created a user named "None". But I still checked
>>> the Users folder to see if there was indeed a user named "None". There
>>> wasn't. I even checked to see if there were any hidden users using the
>>> "view hidden folder option", but there was no uesr by the name of
>>> "None". I looked on google for some time but all I managed to find was
>>> that it could possibly be a remnant from a past OS or something. But
>>> this computer had Vista installed on it when I got it. Also, it might
>>> be some sort of guest that was made for my computer or something. My
>>> own speculation is that it has something to do with the fact that I
>>> used Cygwin to open up a tarball and create this folder. Anyway, what
>>> does this user mean? Why does it have special permissions? Is it some
>>> sort of sign that I have a back door somewhere on my computer or that
>>> I'm being keylogged or something? Thanks in advance.
[ reply ]
Jul 23 2008 06:11AM
Jørgen Hovelsen (jorgen hovelsen ntnu no)
Jul 23 2008 01:18AM
Anthony Petito (anthonypetito gmail com)
Copyright 2010, SecurityFocus