SID History Filtering

Q: What is SID History Filtering?

A: SID History Filtering is a feature which makes it possible to filter out the SID History attribute for users autheticating over an interforest trust.

Q: Which OSes has this feature?

A: Windows Server 2003 and Windows 2000 Server post SP2 (I thought it was only in 2003 and I fount out the hard way)

Q: Why do I need this?

A: Because SID History is a potential security risk since it can be altered to gain access to resources which a person does not have access to.

Q: Could SID History filtering be a problem?

A: I you setup a trust between two domains for migration purposes you will not bet able to access resources in the old domain (I am talking from personal experience) with a migrated user.

Q: Is it turned on by default?

A: Yes

How do I turn off SID Filtering?

In Windows Server 2003:

      Netdom trustTrustingDomainName /domain:TrustedDomainName /quarantine:No /usero:domainadministratorAcct /passwordo:domainadminpwd

         TrustingDomainName The Domain Name System (DNS) name (or network basic input/output system (NetBIOS) name) of the trusting domain in the trust that is being created.
         TrustedDomainName The DNS name (or NetBIOS name) of the domain that will be trusted in the trust that is being created.
         domainadministratorAcct The user account name with the appropriate administrator credentials to modify the trust.
         domainadminpwd The password of the user account in domainadministratorAcct.

In Windows 2000:

      netdom trust RESDOM /D:ACCDOM /UD:ACCDOMAdministrator /PD:adminpwd /UO:RESDOMAdministrator /PO:adminpwd /filtersids:no

Links

KB for Winfows 2000 (289243)
Techent Article for 2003
Good Article on SID Filtering and SIDHistory

Leave a Reply