2006-03-14

SID History Filtering

Categories: tech

Q: What is SID History Filtering?

A: SID History Filtering is a feature which makes it possible to filter out the SID History attribute for users autheticating over an interforest trust.

Q: Which OSes has this feature?

A: Windows Server 2003 and Windows 2000 Server post SP2 (I thought it was only in 2003 and I fount out the hard way)

Q: Why do I need this?

A: Because SID History is a potential security risk since it can be altered to gain access to resources which a person does not have access to.

Q: Could SID History filtering be a problem?

A: I you setup a trust between two domains for migration purposes you will not bet able to access resources in the old domain (I am talking from personal experience) with a migrated user.

Q: Is it turned on by default?

A: Yes

How do I turn off SID Filtering?

In Windows Server 2003:

      Netdom trustTrustingDomainName /domain:TrustedDomainName /quarantine:No /usero:domainadministratorAcct /passwordo:domainadminpwd

         TrustingDomainNameThe Domain Name System (DNS) name (or network basic input/output system (NetBIOS) name) of the trusting domain in the trust that is being created.
         TrustedDomainNameThe DNS name (or NetBIOS name) of the domain that will be trusted in the trust that is being created.
         domainadministratorAcctThe user account name with the appropriate administrator credentials to modify the trust.
         domainadminpwdThe password of the user account in domainadministratorAcct.

In Windows 2000:

      netdom trust RESDOM /D:ACCDOM /UD:ACCDOMAdministrator /PD:adminpwd /UO:RESDOMAdministrator /PO:adminpwd /filtersids:no

Links

KB for Winfows 2000 (289243)
Techent Article for 2003
Good Article on SID Filtering and SIDHistory