Know thy SELF…

Windows has a special security principal know as SELF (also Principal Self and NT AUTHORITYSELF).

Here’s the definition of SELF from KB243330:

SID: S-1-5-10
Name: Principal Self
Description: A placeholder in an inheritable ACE on an account object or group object in Active Directory. When the ACE is inherited, the system replaces this SID with the SID for the security principal who holds the account.

And here’s one from KB296479:

SELF is not an actual SID, but a way to reference the objectSid for the object on which it is set, which will always be unique.
The hexadecimal value of the Self SID is: 0x01 0x01 0x00 0x00 0x00 0x00 0x00 0x05 0x0a 0x00 0x00 0x00

And from TechNet:

Principal Self

Attribute Value
Well-Known SID/RID S-1-5-10
Object Class Foreign Security Principal
Default Location in Active Directory cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain>
Description A placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal represented by the object.

So what does all this mean?

It means that if you want to grant a security principal permissions to itself, or more accurately; the object representing itself, you can use SELF as a placeholder. Whenever the security subsystem encounters the SELF SID in an ACL it replaces it with the SID of the object that the ACL is set on.

Why use SELF?

Using the SELF principal can greatly simplify administration and cut down on ACL sizes. Let’s say you have an OU in Active Directory where you want every user to be able to update their own telephone number. Instead of editing each user object and that user permissions to its own telephone number attribute, you would just give SELF that permission, but at the OU level and each user object would inherit it. When a user wants to change his or hers telephone number the access check in Active Directory will encounter the SELF principal and replace that with the SID of the actual account.

Questions:

One thing I could not figure out while putting this together is what happens when you use SELF in an ACE on an object that is not a security principal, a file for instance. The file does not have a SID (because it is not a security principal) so there is nothing for SELF to point to. I thought that maybe SELF would point to the SID of the owner of the file, but that is the job of the CREATOR OWNER SID, not SELF. I guess that SELF, when used in such a scenario, does not do anything.

The Windows Server 2008 DNS Server Global Query Block list

Event logged in the DNS Server log when a query is received for a name that exists in an authoritative zone, but is also on the global query block list:

EventID : 7600
MachineName : lab-dc1.lab.net
EntryType : Warning
Message : The global query block list is a feature that prevents attacks on your network by blocking DNS queries for specific host names. This feature has caused the DNS server to fail a query with error code NAME ERROR for wpad.lab.net. even though data for this DNS name exists in the DNS database. Other queries in all locally authoritative zones for other names that begin with labels in the block list will also fail, but no event will be logged when further queries are blocked until the DNS server service on this computer is restarted. See product documentation for information about this feature and instructions on how to configure it.

Below is the current global query block list (this list may be truncated in this event if it is too long):
wpad
isatap
Source : DNS

Resources:

How to reset the Windows Recycle Bin

Sometimes the Recycle Bin of a partition/volume can become corrupted. When it does it prevents you from deleting files or takes up space that cannot be reclaimed by emptying the Recycle Bin, or both. To reset the Recycle Bin for a particular volume or partition, start up a command prompt with Administrative privileges and delete the $RECYCLE.BIN folder from the partition/volume in question. Needless to say you will loose everything in that folder. When you delete a file on that volume/partition next, the Recycle Bin will be automatically regenerated.

Example command:

rd /s E:$RECYCLE.BIN

Where E: is the volume or partition with the corrupt Recycle Bin.