September 2003
Intermediate to advanced
624 pages
15h 49m
English
Content preview from Active Directory CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
2.23. Enabling SID Filtering for a Trust
Problem
You want to enable Security Identifier (SID) filtering for a trust. By enabling SID filtering you can keep a hacker from spoofing a SID across a trust.
Solution
Using a command-line interface
> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Quarantine Yes[RETURN] [/UserO:<TrustingDomainUser> /PasswordO:*][RETURN] [/UserD:<TrustedDomainUser>/PasswordD:*]
Discussion
A security vulnerability exists with the use of SID history, which is described in detail in MS KB 289243. An administrator in a trusted domain can modify the SID history for a user, which could grant her elevated privileges in the trusting domain. The risk of this exploit is relatively low due to the complexity in forging a SID, but nevertheless, you should be aware of it. To prevent this from happening you can enable SID Filtering for a trust. When SID filtering is enabled, the only SIDs that are used as part of a user’s token are from the trusted domain itself. SIDs from other trusting domains are not included. SID filtering makes things more secure, but prevents the use of SID history and can cause problems with transitive trusts.
See Also
MS KB 289243 (MS02-001: Forged SID Could Result in Elevated Privileges in Windows 2000)