It actually came up about 4.5 years ago and was fixed in Win2K SP2- at least
the particular item to which you refer. :-) However, domains are still not,
and never have been, security boundaries in AD, as there are other ways to
use one domain to damage other domains or the entire forest.
SID filtering is unwieldy, unnecessary and inappropriate for the issue to
which you are referring, which was the spoofing of the SIDHistory attribute
on an account from one domain in the forest to use against another domain in
the forest.
So, in a nutshell, the vulnerability to which you refer is quite old.
HTH,
Laura
> -----Original Message-----
> From: Nolan, Tim [mailto:NolanTim (at) bfusa (dot) com [email concealed]]
> Sent: Monday, March 07, 2005 11:33 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: SID Manipulation Issue - Cross Domain Security
> Vulnerabilities
>
>
> Does anyone know if there has been anything done by Microsoft
> regarding the SID manipulation issue? This came up a year or
> two ago, and it basically meant that the domain was no longer
> the security boundary. As I recall, manipulation of a SID in
> one domain could be performed to obtain permissions on
> another domain within the same forest.
>
> Is anyone aware if any patch, hotfix, service pack or
> whatever might have been issued to resolve this
> vulnerability? Are there any workarounds?
>
> Another question is around SID filtering - is this an
> effective countermeasure? Or is it really impractical for
> very large domains with frequent changes?
>
> Thanks for any help or info you might have on this....
>
>
> Tim
>
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
>
the particular item to which you refer. :-) However, domains are still not,
and never have been, security boundaries in AD, as there are other ways to
use one domain to damage other domains or the entire forest.
SID filtering is unwieldy, unnecessary and inappropriate for the issue to
which you are referring, which was the spoofing of the SIDHistory attribute
on an account from one domain in the forest to use against another domain in
the forest.
So, in a nutshell, the vulnerability to which you refer is quite old.
HTH,
Laura
> -----Original Message-----
> From: Nolan, Tim [mailto:NolanTim (at) bfusa (dot) com [email concealed]]
> Sent: Monday, March 07, 2005 11:33 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: SID Manipulation Issue - Cross Domain Security
> Vulnerabilities
>
>
> Does anyone know if there has been anything done by Microsoft
> regarding the SID manipulation issue? This came up a year or
> two ago, and it basically meant that the domain was no longer
> the security boundary. As I recall, manipulation of a SID in
> one domain could be performed to obtain permissions on
> another domain within the same forest.
>
> Is anyone aware if any patch, hotfix, service pack or
> whatever might have been issued to resolve this
> vulnerability? Are there any workarounds?
>
> Another question is around SID filtering - is this an
> effective countermeasure? Or is it really impractical for
> very large domains with frequent changes?
>
> Thanks for any help or info you might have on this....
>
>
> Tim
>
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
>
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]