Re: SID Filtering vs. SIDhistory

From: Rich Roller (rich_roller_at_*REMOVE-THIS*whitney.org)
Date: 01/29/04

  • Next message: James Reichner: "Re: Security problems on directory"
    Date: Thu, 29 Jan 2004 13:17:42 -0500
    
    

    Alex:

    When we try to install WS3's Support Tools (netsetup.exe) it gives
    an install error saying it will not install on NT (ironically it
    will install on W98!). So unless there is some other trick we
    can't seem to use WS3's version of netdom on NT.

    And the netdom we got off the NT ResKit didn't have the /TRUST
    switch that we had used to display status of SIDfiltering
    (Quarantine) so that didn't seem promising.

    Finally we looked for the Regsitry key you mentioned but
    "QuarantinedDomains" was not visible at all on either the NT PDC
    or the AD PDC.

    Any more ideas?

    Thanks.

    Rich

    "Alex" <ytsiow@yahoo.com> wrote in message
    news:#SAZv2m5DHA.2392@TK2MSFTNGP11.phx.gbl...
    > I will think that the w2k3 netdom should work for winnt. You
    can also check
    > the following registry key.
    >
    >
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Par
    ameters\]
    >
    > Name: QuarantinedDomains
    > Type: REG_MULTI_SZ
    > Value: Sequence of zero, or more, Netbios domain names
    >
    > Also check out this link.
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;811961
    >
    > Good luck.
    >
    >
    >
    > "Rich Roller" <rich@*REMOVE-THIS*r2c.com> wrote in message
    > news:%23abmKhh5DHA.2392@TK2MSFTNGP11.phx.gbl...
    > > Thanks Alex.
    > >
    > > So, instead of running netdom on the AD-side (which shows
    > > filtering on) I should run it on the NT-side (and expect to
    see
    > > filtering off)?
    > >
    > > Any ideas if netdom works similarly on NT and whether I have
    to
    > > find an old version of netdom (and where?) or if the netdom
    from
    > > WS2003 is backward compatible?
    > >
    > > -Rich
    > >
    > > "Alex" <ytsiow@yahoo.com> wrote in message
    > > news:uKtG0ha5DHA.2300@TK2MSFTNGP10.phx.gbl...
    > > > I am quite sure that SID Filtering will not affect
    sidHistory in
    > > your case
    > > > (backward access to resources in your NT domain). From what
    I
    > > understand,
    > > > SID Filtering works on the Trusting domain (Resources) which
    is
    > > your NT
    > > > domain in this case. Your NT domain should not have SID
    > > Filtering enable by
    > > > default and therfore it should work.
    > > >
    > > >
    > > > "Rich Roller" <rich_roller@*REMOVE-THIS*whitney.org> wrote
    in
    > > message
    > > > news:ux2BPAF5DHA.360@TK2MSFTNGP12.phx.gbl...
    > > > > We're about to do a important ADMT migration from NT to AD
    > > > > (WS2003), in which we chose to migrate SIDhistory which we
    > > relied
    > > > > on for backward access to NT resources. All of our
    testing so
    > > far
    > > > > was based on two-way trusts that were setup with SID
    > > Filtering,
    > > > > which is the default for WS2003.
    > > > >
    > > > > Our testing was generally quite positive and SIDhistory,
    from
    > > all
    > > > > we can tell, was working OK (except for built-in users &
    > > built-in
    > > > > groups which we understood ADMT would not
    migrate/SIDhistory)
    > > > >
    > > > > What's really puzzling me about this is that in several
    > > places,
    > > > > including the "new trust wizard", it says that if SID
    > > Filtering is
    > > > > turned on then things like SIDhistory will not work
    properly.
    > > > > We've confirmed (using netdom) that our trusts indeed have
    SID
    > > > > Filtering enabled so what's the deal? How come it looks
    to us
    > > > > like SIDhistory is working?
    > > > >
    > > > > We're about to do our *real, production* migration and
    we're
    > > > > wondering if we should disable SID Filtering?
    > > > >
    > > > > TIA,
    > > > >
    > > > > Rich
    > > > >
    > > > >
    > > >
    > > >
    > >
    > >
    >
    >


  • Next message: James Reichner: "Re: Security problems on directory"

    Relevant Pages

    • Re: [Full-Disclosure] viruses being sent to this list
      ... but the list owners have been pretty ... adamant that they will not install any kind of filtering on the list at ...
      (Full-Disclosure)
    • Re: Notifying user of open Internet access
      ... Again, most residential/personal internet ... > services do not permit users running services that provide anonymous ... If you'd install filters against every possible ... Email filtering to filter out viruses. ...
      (alt.computer.security)
    • Re: Flash mob in Maryland on tape
      ... I still haven't got Windows 7 set up enough to ... something I thought was going to install MusicMatch ... version is filtering the format of the headers I post, ...
      (soc.retirement)
    • Please enable firewalls by default on Linux distributions
      ... Most distributions of Linux ship with powerful firewalls that are ... completely turned off when you install them, ... be easily used as staging areas for DDOS attacks. ... At the very least, egress filtering, syn flood prevention, basic port ...
      (comp.os.linux.security)
    • Re: proxy server
      ... > I want to install a proxy server to manage these features: ... I installed squid proxy with dansguardian content filtering for a school ... To unsubscribe, ...
      (freebsd-questions)