Establishing secure Active Directory boundaries - Part 3

James Michael Stewart, Contributor

Click here to read Part 1 and Part 2 of this tip.

Creating trusts between two forests raises two security concerns: SID

Requires Free Membership to View

spoofing for privilege escalation and rogue administrators. The SID spoofing vulnerability is the action of adding the SIDs of non-trusted domains to the access token of a security principle (i.e. user account) in such a way that the SIDs are accepted (i.e. authorized) by the trusted domain. A SID contains the domain's ID that the user account was originally created in. When a trust is established, a new user account is created in the newly trusted domain and the SID info from the original domain is added to the sIDHistory value of the new account. The newly trusted domain automatically accepts all SIDs in the sIDHistory value. Thus if non-trusted domains are added to the user's access token in the original domain before migrating to the new domain, a privilege escalation may occur.

While this is a legitimate vulnerability, it is not an easy attack to perform. Especially since it currently requires administrative access on the original domain in order to modify the SIDs attached to the user account's access token. However, taking steps to prevent such attacks is important. Microsoft has designed a SID Filtering countermeasure to address this issue which is included in Windows Server 2003 and Windows 2000 Server Service Pack 4. All systems should be upgraded to these versions before establishing the external trust. If you are using older versions of Windows Server or you already have external trusts created, SID Filtering can be enabled using the NETDOM command line utility.

This issue is covered in more depth in Microsoft Knowledge Base documents 289243 and 289246.

The second risk is rogue administrators. Once the forest to forest external trust is established, it is possible to add users from the trusted domain into the domain local groups of the trusting domain. If a user from one forest is added into an administrative domain local group of the root of another forest, the isolation of the forests is compromised. This also means that if users that are granted administrative access are not trustworthy, they have enough privilege to damage the forest. As a general rule or principle, do not add users from one forest into administrative or service management groups of another forest.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

This was first published in February 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.