Attachments

advanced/Machine Identification

1. How Is a machine Identified?

A machine is identified by its netbios name, the list of its mac addresses, its hardware id and its Windows SID.

1.1. Summary

The netbios name (N) of a machine is unique at a given time within a given domain. Name uniqueness is ensured by the domain controller, but two machines may have the same name at different point in time.

The list of mac addresses ({Mi}) of a machine is the list of network adapter that are enabled on Windows. This list may changed over the time.

The hardware id (H) is based on both: the serial numbers of the BIOS, the chassis and the mother board as reposed by WMI. The hardware id is usually unique for branded PC but may not be unique for no name or self assembled PC. VMware defines a BIOS serial number that is unique yielding to valid hardware id.

The Windows SID (S) is the Windows security identifier of the Windows operating system. The SID is generated during the Windows installation process and is supposed to be globally unique. However if Windows is installed using a cloned image which has not been carefully crafted using sysprep, the SID may not been unique. Experence show that SID are rarely unique in corporate network and appeared in bunch of 10 to 50 machines.

1.2. Details

To identify a machine <H, {Mi}, N, S>, the following algorithm applies:

  1. Is there a machine with the same tuple <H, {Mi}, N, S> ?

    • yes -> the two machines are identical

  2. Is there a machine with the same tuple <H, {Mi}, S> ?

    • yes -> the two machines are identical but it has been renamed

  3. Is there a machine with the same tuple <H, N, S> and with at least on MAC belonging to the OUI in common ?

    • yes -> the two machines are identical but for instance one network adapter has been disabled or enabled.

  4. Is there a machine with the same tuple <H, N, S> and 50% or more MAC addresses are in common ?

    • yes -> the two machines are identical but for instance one network adapter has been disabled or enabled and the MAC addresses have been reflashed.

  5. Is there a machine with the same tuple <H, S> and more than 50% of the MAC addresses are in common ?

    • yes -> the two machines are identical but for instance one network adapter has been disabled or enabled and the MAC addresses have been reflashed and the machine has been renamed.

  6. Compute the subset {Mui} of {Mi} whose MAC addresses belong to only one machine.
  7. Does H belong to more then on machines in the database ?

    • yes -> Is there a machine with the same tuple <H, N> ?

      • yes -> the two machines are identical but it is probably a VM and a new MAC address has been generated at boot time.

  8. Is there a machine with the same tuple <N, Mui> ?

    • yes -> Is there a machine with the same tuple <H, N> ?

      • yes -> the two machines are identical, it is no name PC with the same hardware id.

If no identical machine is found as per the above rules, then a new source is created.

CategoryEngine

last modified 2011-02-10 07:41:19