Sunday, June 15, 2008

ActiveDirectory: SID Filtering

SID Filtering applies only to Forest Trust or External Trust. If you enable the SID Filtering within a forest, you break the transitive trust relation. So you should not enable the SID Filtering within the same forest.

You should enable the SID Filtering when you create a forest trust or external trust.

On domain controllers that are running Windows Server 2003 or running Windows 2000 Server SP4 or later, SID filtering is applied by default to an outgoing, external trust to “quarantine” the trusted domain. This feature allows only SIDs from the trusted domain to be included in authorization data.

What does the SID Filtering mean?

Trusting domain: Contoso
Trusted domain Cpandl

The domain, Contoso, trusts another domain, Cpandl, an administrator of the Contoso domain can manually apply SID filter quarantining to the Cpandl domain, which allows all SIDs with a domain SID from the Cpandl domain to pass but all other SIDs (such as those from migrated SIDs that are stored in SID history) to be discarded.

Disable the SID Filtering (working on the domain controller of the trusting domain)
Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No /userD:domainadministratorAcct /passwordD:domainadminpwd

What is the SID history attribute?

Security principals in Active Directory have an attribute, called SID history, to which domain administrators can add users’ old security identifiers (SIDs). This is useful during Active Directory migrations because administrators do not need to modify access control lists (ACLs) on large numbers of resources and users can use their old SIDs to access resources.
However,administrators in a trusted domain can use the SID history attribute (sIDHistory) to associate SIDs with new user accounts, granting themselves unauthorized rights.

Not everyone can edit the SID History attribute unless you know how to modify the binary structure.. There is no interface for it.