RE: SID Filtering
From: Rob (anonymous_at_discussions.microsoft.com)
Date: 08/27/04
- Next message: Scott Harding - MS MVP: "Re: Upgrade single domain structure"
- Previous message: TheSingingCat: "Re: rebuild caused by corrupt AD schema"
- In reply to: Rebecca Chen [MSFT]: "RE: SID Filtering"
- Next in thread: Rebecca Chen [MSFT]: "RE: SID Filtering"
- Reply: Rebecca Chen [MSFT]: "RE: SID Filtering"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 27 Aug 2004 08:23:33 -0700
Thanks for your help.
SID Filtering is enabled in our windows 2003 AD (we did
not change the default setting). I migrated few users with
SID History. I logged on to the 2003 AD with a migrated
account and I can access the file shares and email in the
source NT domain.
When I try to access resources in the source domain with a
migrated account, shouldn't the SID Filtering block access
to the resources, since SID History is disabled?
I had a file share on a computer in NT domain and had
access to the shares for few NT4 domain accounts. I
migrated those accounts and the computer to the 2003 AD.
Now I can login to 2003 AD with the migrated accounts and
access the file shares on the migrated computer.
Also I can login to the NT4 domain and access the file
shares on the migrated computer.
If the SID filtering is enabled, what should we be not
able to access?
I am not sure, but, Windows NT accounts can only have one
SID unlike AD accounts which can have multiple SIDs, so I
don't think we need to disable SID filtering when we
migrate from Windows NT domain. I think we need to disable
SID filtering when we migrate from windows 2000 active
directory.
Am I missing any thing here? Please advice.
>-----Original Message-----
>Hi Rob,
>
>Thank you for your post!
>
>Whether or nor you need to enable SID filtering depends
on your real
>environments.
>
>There are two scenarios:
>
>Scenario 1:
>==============
>If there are old resource belongs to the original Windows
NT domain and you
>want to allow the users in new domain to have the ability
visit the old
>resource, you need to disable SID filtering.
>
>However, it is possible that the Privilege Attacks use
SID history to
>attack the domain.
>
>Scenario 2:
>==============
>If you don't need to allow the users to visit the
original resource or you
>will migrate all the clients to the new domain, you can
enable SID
>filtering. Enabling SID filter will prevent Elevation of
Privilege Attacks;
>however, the user in new domain will not have the ability
to visit the
>original resource.
>
>For more details, please refer to the following white
paper:
>
>Using Security Identifier (SID) Filtering to Prevent
Elevation of Privilege
>Attacks
>
>http://www.microsoft.com/windows2000/techinfo/administrati
on/security/sidfil
>ter.asp
>
>If you have any questions, please feel free to let me
know.
>
>Have a nice day!
>
>Best regards,
>
>Rebecca Chen
>
>MCSE2000 MCDBA CCNA
>
>
>Microsoft Online Partner Support
>Get Secure! - www.microsoft.com/security
>
>=====================================================
>
>When responding to posts, please "Reply to Group" via
your newsreader so
>that others may learn and benefit from your issue.
>
>=====================================================
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>.
>
- Next message: Scott Harding - MS MVP: "Re: Upgrade single domain structure"
- Previous message: TheSingingCat: "Re: rebuild caused by corrupt AD schema"
- In reply to: Rebecca Chen [MSFT]: "RE: SID Filtering"
- Next in thread: Rebecca Chen [MSFT]: "RE: SID Filtering"
- Reply: Rebecca Chen [MSFT]: "RE: SID Filtering"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
