Windows 2000 SIDHistory Escalation Attack

From: James Barrett (jimb@LUCENT.COM)
Date: 02/20/02

Date:         Wed, 20 Feb 2002 13:23:42 -0500
From: James Barrett <jimb@LUCENT.COM>


I know that this topic was brought up a few weeks ago, but we have been
doing some research internally on this issue and have reached some
disturbing conclusions.

First of all, when Microsoft introduced the Windows 2000 domains within
a forest structure, the domains were introduced as security and
replication boundaries. If you had a situation where you needed to keep
two divisions of your company completely separate from each other, you
could create two domains. Each division could have complete control
over their domain and not be able to affect the other. Since they are
all part of the same forest, they are able to share a common global
catalog, and more importantly a common Exchange 2000 address book. This
understanding has been the basis for Windows 2000 designs for the past
two years.

Now, Aelita Software has identified a bug that affects this model.
Specifically, if you are an administrator for Domain A, and you have a
means of modifying the SIDHistory attribute, you could insert the SID
from Domain B's Domain Administrator account into yours. This would
then give you Administrative level access to Domain B and violate the
security barrier. The original whitepaper from Aelita can be found at
<> .

Microsoft issued a response and an analysis of the problem in MS02-001.
Basically, they acknowledged it was a problem but decided it was not too
severe. They did release a patch to prevent the SIDHistory value from
being read, but it cannot be used between domains within the same forest
as it would break replication. Their analysis was that it would be very
difficult to manipulate the SIDHistory value. Their recommendation was
that if this issue was a problem, separate forests should be considered.

This is not a very good answer for a couple of reasons. First of all,
most of the third part tool vendors have methods of manipulating the
SIDHistory value as part of their migration suites. This proves that it
can be done, so it is only a matter of time before a program is
developed to do this. Secondly, Windows 2000 security permits
authenticated users of one domain to do an LDAP query to another domain
to obtain the SID of any object. This makes it trivial to both locate
an administrative SID and add it to a local user account. Microsoft's
suggestion of multiple forests makes things such as global email
directories and global catalogs difficult to implement. NetWare does
not have this kind of privilege escalation problem and neither should

I recommend that the community push Microsoft to develop a means of
disabling the SIDHistory between domains in a forest such that it does
not affect replication and other things. Windows 2000 forests should be
able to have domains that can be secured from each other. If Microsoft
chooses not to do this, this represents a significant issue in designing
a flexible Windows 2000 infrastructure.


Jim Barrett

Jim Barrett, CISA, CCNP, MCSE, MCT
Senior Consultant
Microsoft Consulting Practice
Lucent Technologies ESS
781-848-5500 ext. 445

Delivery co-sponsored by VeriSign - The Internet Trust Company
Do you have 128-bit SSL encryption server security?
Get VeriSign's FREE Guide, "Securing Your Web Site for Business," and learn
everything you need to know about using 128-bit SSL to encrypt your
e-commerce transactions, secure your intranets and authenticate your Web
site. 128-bit SSL is serious security for your online business. Get it now!