O'Reilly logo

Active Directory Cookbook by Robbie Allen

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

2.23. Enabling SID Filtering for a Trust

Problem

You want to enable Security Identifier (SID) filtering for a trust. By enabling SID filtering you can keep a hacker from spoofing a SID across a trust.

Solution

Using a command-line interface

> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Quarantine Yes[RETURN]
   [/UserO:<TrustingDomainUser> /PasswordO:*][RETURN]
   [/UserD:<TrustedDomainUser> /PasswordD:*]

Discussion

A security vulnerability exists with the use of SID history, which is described in detail in MS KB 289243. An administrator in a trusted domain can modify the SID history for a user, which could grant her elevated privileges in the trusting domain. The risk of this exploit is relatively low due to the complexity in forging a SID, but nevertheless, you should be aware of it. To prevent this from happening you can enable SID Filtering for a trust. When SID filtering is enabled, the only SIDs that are used as part of a user’s token are from the trusted domain itself. SIDs from other trusting domains are not included. SID filtering makes things more secure, but prevents the use of SID history and can cause problems with transitive trusts.

See Also

MS KB 289243 (MS02-001: Forged SID Could Result in Elevated Privileges in Windows 2000)

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required