SID Filtering

In Windows Server 2003 Security Rollup Package 1 (SRP1), Microsoft introduced SID filtering to prevent elevation-of-privilege attacks. SID filtering causes the domain controllers (DCs) in a trusting domain to remove all SIDs that aren't members of the trusted domain. In other words, if a user in a trusted domain is a member of groups in other domains in the forest, the trusting domain will remove those groups' SIDs from the user's access token. (For more information about SID filtering and the problems it can cause, see the Microsoft article "MS02-001: Forged SID could result in elevated privileges in Windows 2000" at http://support.microsoft.com/?kbid=289243.)

SID filtering is disabled by default in Windows 2000 pre-Service Pack 4 (SP4) and in Windows NT 4.0. However, SID filtering is enabled by default in Windows 2003 and Win2K SP4. This situation can cause problems if you need to break and reestablish trusts that you created before SP4.

Consider the following example. NT 4.0 users in your trusted domain access resources in your trusting domain. Some of these resources have groups that belong to other domains in the trusted forest in their ACL. Users have access to these resources because they're members of these groups. This situation works until you break and reestablish the trust with this resource domain. Users then receive Access denied messages on some resources.

You might not know whether SID filtering affects your organization until you need to break and reestablish trusts. To determine whether SID filtering might cause problems, log on as a user account from the trusted domain and run the Microsoft Windows 2000 Server Resource Kit's WhoAmI utility on a trusting domain resource, as follows:

whoami /groups

If SID filtering is enabled, WhoAmI's output will show that the user account is missing some of the groups the account is a member of.

Another way to determine whether SID filtering is enabled is to open a command prompt from a domain administrator account in the trusting domain and enter

nltest /server:<DC in trusting domain> /domain_trusts

The output will display a list of trusts for the domain. If one of the Direct Outbound trusts shows <Attr: filtered >, SID filtering is active for that trust. If you use Windows 2003's New Trust Wizard to create a trust, the wizard explicitly tells you that SID filtering is enabled.

You can use Windows 2003's or Win2K SP4's Netdom to disable SID filtering. Log on to a DC in the trusting domain with an account that has domain administrator rights. From a Win2K SP4 server, go to a command prompt and enter

netdom trust <trusting domain> /domain:<trusted domain> /FilterSIDs:no

From a Windows 2003 server, enter

netdom trust <trusting domain> /domain:<trusted domain> /quarantine:no

SID filtering will then be disabled.

—Sean Deuby
sdeuby@windowsitpro.com

End of Article