RE: SID Manipulation Issue - Cross Domain Security Vulnerabilities

From: Laura A. Robinson (laurarobinson_at_verizon.net)
Date: 03/08/05

  • Next message: Laura A. Robinson: "RE: Disabling USB mass storage" 
    Date: Mon, 07 Mar 2005 20:47:32 -0500
To: "'Nolan, Tim'" <NolanTim@bfusa.com>, <focus-ms@securityfocus.com>

    It actually came up about 4.5 years ago and was fixed in Win2K SP2- at least
    the particular item to which you refer. :-) However, domains are still not,
    and never have been, security boundaries in AD, as there are other ways to
    use one domain to damage other domains or the entire forest.

    SID filtering is unwieldy, unnecessary and inappropriate for the issue to
    which you are referring, which was the spoofing of the SIDHistory attribute
    on an account from one domain in the forest to use against another domain in
    the forest.

    So, in a nutshell, the vulnerability to which you refer is quite old.

    HTH,

    Laura

    > -----Original Message-----
    > From: Nolan, Tim [mailto:NolanTim@bfusa.com]
    > Sent: Monday, March 07, 2005 11:33 AM
    > To: focus-ms@securityfocus.com
    > Subject: SID Manipulation Issue - Cross Domain Security
    > Vulnerabilities
    >
    >
    > Does anyone know if there has been anything done by Microsoft
    > regarding the SID manipulation issue? This came up a year or
    > two ago, and it basically meant that the domain was no longer
    > the security boundary. As I recall, manipulation of a SID in
    > one domain could be performed to obtain permissions on
    > another domain within the same forest.
    >  
    > Is anyone aware if any patch, hotfix, service pack or
    > whatever might have been issued to resolve this
    > vulnerability? Are there any workarounds?
    >  
    > Another question is around SID filtering - is this an
    > effective countermeasure? Or is it really impractical for
    > very large domains with frequent changes?
    >  
    > Thanks for any help or info you might have on this....
    >  
    >  
    > Tim
    >  
    >  
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Laura A. Robinson: "RE: Disabling USB mass storage"

    Relevant Pages

    • Re: ADAM Proxy Authentication and Movetree
      ... SID filtering came to mind as a possible reason for ... but a trust has been setup between the ADAM domain and all ... > domains in the other forest that users are provisioned from. ... >> where does the ADAM server sit, in which, if any of the above domains? ...
      (microsoft.public.windows.server.active_directory)
    • Re: Archaeologists discover 8-million-year-old forest in Hungary
      ... wasn't a forest at all... ... refer to groups of extinct creatures as "birds" as long as no species ... I'm just pointing out the ludicrousness of ...
      (talk.origins)
    • Re: Archaeologists discover 8-million-year-old forest in Hungary
      ... wasn't a forest at all... ... up of species that humans never had experience with, ... refer to groups of extinct creatures as "birds" as long as no species ...
      (talk.origins)
    • Re: Archaeologists discover 8-million-year-old forest in Hungary
      ... Of course, since "forest" is a vernacular term, what they discovered ... Oh yes it was...no species were mentioned.... ... refer to groups of extinct creatures as "birds" as long as no species ...
      (talk.origins)
    • ADMT and SID Filtering
      ... I have a question about SID Filtering ad the use of ADMT and If anyone could ... I will use ADMT to migrate objects from a forest to another, ... disable SID Filtering to migrate the objects? ...
      (microsoft.public.windows.server.active_directory)