Re: sIDHistory & SID Filtering...
From: Rebecca Chen [MSFT] (v-rebc_at_online.microsoft.com)
Date: 10/25/04
- Next message: Jeff Qiu [MSFT]: "RE: AD Migration Error migrating Workstation from NT 4.0 domain"
- Previous message: John Stimpson: "Getting error when using ADMT"
- In reply to: Roman Zarka: "Re: sIDHistory & SID Filtering..."
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 25 Oct 2004 09:44:22 GMT
Hello,
I understand that you have already migrated the user accounts and now want
to completely remove SID history. Please correct me if I am off base.
Please see my inline:
If I can remove sIDHistory from AD all together, then no one can
utilize it for EoP. Right?
A: Correct.
If you have already migrated the user accounts and kept the SID history.
There are several methods available to remove sIDHistory from users and
groups. ADSIedit.msc, ldp.exe, or visual basic scripting will all allow
access to the sIDHistory attribute. However, for administrators not
skilled in scripting or for a large number of objects that need sIDHistory
cleared, there are tools that provide a simple solution.
NOTE: These tools are not completely tested and as such are not 'official'
Microsoft released software. However, they have been successfully used in
production environments and their potential to cause damage is basically
zero.
SidH - Manipulates SID history of a single object
SHTool - Delete and reassign SID history for any number of objects
You can downloado the tools from:
http://msweb/personal/markvi/tools
There is also another tool named MigrateMagic to completely remove SID
history. Please take a look at the following link:
MigrateMagic
http://www.hallogram.com/migratemagic/
The following article has addressed this concern, please refer to the Using
ADMT and MigrateMagic to cleanup SIDhistory snippet:
http://www.tools4ever.com/resources/pdf/migratemagic/chapter-08-sidhistory-c
leanup.pdf
Note: The third-party product discussed is manufactured by a vendor
independent of Microsoft; we make no warranty, implied or otherwise,
regarding this product's performance or reliability.
With regards to the " SID Filtering could also prove to be a viable, but it
is not recommended for domains in the same forest", do you read the
sentence from
http://support.microsoft.com/default.aspx?scid=kb;en-us;289243? I don't
believe it is the problem since it is in win2k.
Any update, let us get in touch!
Best regards,
Rebecca Chen
MCSE2000 MCDBA CCNA
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>From: zarkatech@gmail.com (Roman Zarka)
>Newsgroups: microsoft.public.windows.server.migration
>Subject: Re: sIDHistory & SID Filtering...
>Date: 22 Oct 2004 10:19:53 -0700
>Organization: http://groups.google.com
>Lines: 20
>Message-ID: <603c4c08.0410220919.6966c452@posting.google.com>
>References: <603c4c08.0410210950.4d6fd58b@posting.google.com>
>NNTP-Posting-Host: 12.162.58.66
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: 8bit
>X-Trace: posting.google.com 1098465593 29376 127.0.0.1 (22 Oct 2004
17:19:53 GMT)
>X-Complaints-To: groups-abuse@google.com
>NNTP-Posting-Date: Fri, 22 Oct 2004 17:19:53 +0000 (UTC)
>Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.s
ul.t-online.de!t-online.de!news.glorb.com!postnews1.google.com!not-for-mail
>Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:14689
>X-Tomcat-NG: microsoft.public.windows.server.migration
>
>I have several native Win2k3 domains representing business units, each
>of which have multiple child domains representing divisions or
>geographical locations. I am trying to prevent a rougue administrator
>in one child domain from using the sIDHistory EoP vulnerability to
>access resources in a different parent/child domain.
>
>My issue has nothing to do with migrations and/or the preservation of
>sIDHistory. I am simply trying to prevent the possibilities of EoP
>vulnerabilities. (I've posted a thread to the security groups as
>well.) My question as it relates to migration is can the sIDHistory
>attribute to removed completely... not just cleared. We've
>successfully completed our migration and no longer require sIDHistory.
> If I can remove sIDHistory from AD all together, then no one can
>utilize it for EoP. Right?
>
>SID Filtering could also prove to be a viable, but it is not
>recommended for domains in the same forest. Not "recommended" seems
>vague and suggests that there may be scenarios where SID filtering
>could be utilized on domains in the same forest? If so, under what
>conditions would SID filtering work within the same forest.
>
- Next message: Jeff Qiu [MSFT]: "RE: AD Migration Error migrating Workstation from NT 4.0 domain"
- Previous message: John Stimpson: "Getting error when using ADMT"
- In reply to: Roman Zarka: "Re: sIDHistory & SID Filtering..."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
