This article guides professionals on how to securely configure an Active Directory domain to use only authentication data of directly trusted external or forest trust.
Implementing this control should be considered at a minimum as medium importance.
- G5 Cyber Security can scan your entire network for security vulnerabilities, guide you to resolve them, and more. Please contact us here to get started.
How to implement this security control
This can be implemented by:
- Enabling SID filtering on all external trusts. You can enable SID filtering only from the trusting side of the trust.
- Disabling SID history for all Forest trusts.
Enabling SID filtering on all external trusts
Enter the following line from a command line:
netdom trust [TrustingDomainName] /d:[TrustedDomainName] /quarantine:Yes /usero:[DomainAdministratorAcct] /passwordo:[DomainAdminPwd]
Disabling SID history for all Forest trusts.
You can disable SID history only from the trusting side of the trust. Enter the following line from a command line:
netdom trust [TrustingDomainName] /d:[TrustedDomainName] /enablesidhistory:No /usero:[DomainAdministratorAcct] /passwordo:[DomainAdminPwd]
How to verify this security control is implemented
You can verify that Security identifiers (SIDs) are properly configured as recommended by doing the following:
- Open "Active Directory Domains and Trusts" (Available from various menus or run "domain.msc".)
- Right-click the domain in the left pane and select Properties.
- Select the Trusts tab. Note any existing trusts and the type.
If the trust type is External, run the following command on the trusting domain:
netdom trust [trusting domain] /d:[trusted domain] /quarantine
Note: You should see the result "SID filtering is enabled for this trust. Only SIDs from the trusted domain will be accepted for authorization data returned during authentication. SIDs from other domains will be removed."
If the trust type is Forest, run the following command on the trusting domain:
netdom trust [trusting domain] /d:[trusted domain] /enablesidhistory
Note: You should see the result "SID history is disabled for this trust".
Why you should implement this security control
Under some circumstances it is possible for attackers or rogue administrators that have compromised a domain controller in a trusted domain to use the SID history attribute (sIDHistory) to associate SIDs with new user accounts, granting themselves unauthorized rights.
To help prevent this type of attack, SID filter quarantining is enabled by default on all external trusts. However, it is possible for an administrator to change this setting or the trust may have been created in an older version of AD.
SID filtering causes SID references that do not refer to the directly trusted domain or forest to be removed from inbound access requests in the trusting domain. Without SID filtering, access requests could contain spoofed SIDs, permitting unauthorized access.
In cases where access depends on SID history or Universal Groups, failure to enable SID filtering could result in operational problems, including denial of access to authorized users.
When the quarantine switch is applied to external or forest trusts, only those SIDs from the single, directly trusted domain are valid. In effect, enabling /quarantine on a trust relationship will break the transitivity of that trust so that only the specific domains on either side of the trust are considered participants in the trust.