Recipe 2.23 Enabling SID Filtering for a Trust

2.23.1 Problem

You want to enable Security Identifier (SID) filtering for a trust. By enabling SID filtering you can keep a hacker from spoofing a SID across a trust.

2.23.2 Solution Using a command-line interface
> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Quarantine Yes[RETURN]    [/UserO:<TrustingDomainUser> /PasswordO:*][RETURN]    [/UserD:<TrustedDomainUser> /PasswordD:*]

2.23.3 Discussion

A security vulnerability exists with the use of SID history, which is described in detail in MS KB 289243. An administrator in a trusted domain can modify the SID history for a user, which could grant her elevated privileges in the trusting domain. The risk of this exploit is relatively low due to the complexity in forging a SID, but nevertheless, you should be aware of it. To prevent this from happening you can enable SID Filtering for a trust. When SID filtering is enabled, the only SIDs that are used as part of a user's token are from the trusted domain itself. SIDs from other trusting domains are not included. SID filtering makes things more secure, but prevents the use of SID history and can cause problems with transitive trusts.

2.23.4 See Also

MS KB 289243 (MS02-001: Forged SID Could Result in Elevated Privileges in Windows 2000)

Active Directory Cookbook
Active Directory Cookbook, 3rd Edition
ISBN: 0596521103
EAN: 2147483647
Year: 2006
Pages: 456

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: