Search This Blog

Wednesday, April 22, 2009

Inter-Forest migration. Trust requirements

This small article discribes the trust prerequisites do allow Sid-filtering, which will in return allow migrated users from accessing their resources in the source domain.

Create a forest trust between the two domains.
Enable SID History
[Code]
NETDOM TRUST /Domain: /EnableSIDHistory:Yes /UserO: /PasswordO:
[/Code]
Verified the setting by running the same account, without any value on the /EnableSIDHistory switch.
[Code]
NETDOM TRUST /Domain: /EnableSIDHistory:Yes /UserO: /PasswordO:
Which returned
SID History is enabled on this Trust
[/Code]
When a security principal is copied from one to the other forest it will get a new SID from the Target domain. When SID History is enabled the old SID are added to the SID History of the pricipal. This SID History is added to the session key which it will present while trying to access a share, and thus validating the user in the source forest.

Only enabling SID History is not enough. Windows Server 2003 forest have SID Filtering enabled by default. Security principals in Active Directory have an attribute, called SID history, to which domain administrators can add users’ old security identifiers (SIDs). This is useful during Active Directory migrations because administrators do not need to modify access control lists (ACLs) on large numbers of resources and users can use their old SIDs to access resources. However, under some circumstances it is possible for attackers or rogue administrators that have compromised a domain controller in a trusted domain to use the SID history attribute (sIDHistory) to associate SIDs with new user accounts, granting themselves unauthorized rights. To help prevent this type of attack, Windows Server 2003 automatically enables SID filter quarantining on all external trusts that are created by a Windows Server 2003 domain controller. External trusts that are created using domain controllers running Windows 2000 Server with Service Pack 3 (SP3) or earlier must be manually configured to enable SID filter quarantining. This is also the case when creating a forest trust between two forests. So in order to let the SID History to be passed beyond the trust we need to disabled Sid Filtering on that trust. SID Filtering can be disabled by using following command:
[Code]
NETDOM TRUST /Domain: /Quarantine:No /UserO: /PasswordO:
[/Code]
Again you can verify the status by runnung the same command without specifying a value for the /Quarantine command:
[Code]
NETDOM TRUST /Domain: /Quarantine /UserO: /PasswordO:
[/Code]

Note: Disabling SID Filtering and enabling SIDHistory creates a large security risks and a opens a big attack surgace appon both forests. Therefore it is advicable to speed up the migration. It is understandable that you leave the old environment running for a longer time ones the migration has completed. But be sure to enable the filtering again ones all resource have been moved to the target Forets.

Disabling SIDHistory:
[Code]
NETDOM TRUST /Domain: /EnableSIDHistory:No /UserO: /PasswordO:
[/Code]
Enabling SID Filtering
[Code]
NETDOM TRUST /Domain: /Quarantine:Yes /UserO: /PasswordO:
[/Code]

No comments:

Post a Comment