Re: sIDHistory & SID Filtering...

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Roman Zarka (zarkatech_at_gmail.com)
Date: 10/22/04

• Next message: Glenn: "Using FSMT between an NT 4.0 Domain and W2K Domain ("trusted")"
• Previous message: Dana Brash: "Re: Help migrating desktops to new print server"
• In reply to: Roman Zarka: "sIDHistory & SID Filtering..."
• Next in thread: Rebecca Chen [MSFT]: "Re: sIDHistory & SID Filtering..."
• Reply: Rebecca Chen [MSFT]: "Re: sIDHistory & SID Filtering..."
• Messages sorted by: [ date ] [ thread ]

---

Date: 22 Oct 2004 10:19:53 -0700

I have several native Win2k3 domains representing business units, each
of which have multiple child domains representing divisions or
geographical locations. I am trying to prevent a rougue administrator
in one child domain from using the sIDHistory EoP vulnerability to
access resources in a different parent/child domain.

My issue has nothing to do with migrations and/or the preservation of
sIDHistory. I am simply trying to prevent the possibilities of EoP
vulnerabilities. (I've posted a thread to the security groups as
well.) My question as it relates to migration is can the sIDHistory
attribute to removed completely... not just cleared. We've
successfully completed our migration and no longer require sIDHistory.
 If I can remove sIDHistory from AD all together, then no one can
utilize it for EoP. Right?

SID Filtering could also prove to be a viable, but it is not
recommended for domains in the same forest. Not "recommended" seems
vague and suggests that there may be scenarios where SID filtering
could be utilized on domains in the same forest? If so, under what
conditions would SID filtering work within the same forest.

---

• Next message: Glenn: "Using FSMT between an NT 4.0 Domain and W2K Domain ("trusted")"
• Previous message: Dana Brash: "Re: Help migrating desktops to new print server"
• In reply to: Roman Zarka: "sIDHistory & SID Filtering..."
• Next in thread: Rebecca Chen [MSFT]: "Re: sIDHistory & SID Filtering..."
• Reply: Rebecca Chen [MSFT]: "Re: sIDHistory & SID Filtering..."
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Windows 2000 SIDHistory Escalation Attack ... when Microsoft introduced the Windows 2000 domains within ... all part of the same forest, they are able to share a common global ... means of modifying the SIDHistory attribute, ... security barrier. ... (NT-Bugtraq) Re: Mapping user objects to other user objects in trust forest ... Most tools that will do this are based on sidHistory, ... security translation on SQL servers with mixed authentication. ... Replace all the file permissions to same username but from other forest. ... (microsoft.public.windows.server.active_directory) RE: Inter Forest Migration ... SIDHistory does work for inter-forest migration scenarios. ... largely leaving the resource servers in place (in the originating forest) at ... (microsoft.public.windows.server.active_directory) Re: sidHistory and DomainUsers ... Forest: qaworld.net ... User's group is, by default, everyone's primary group and is therefore ... Is someone able to explain me the difference between usind sidHistory ... Only access which was granted for 'domain users' dosn't work. ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.migration  > 2004-10