It actually came up about 4.5 years ago and was fixed in Win2K SP2- at least
the particular item to which you refer. :-) However, domains are still not,
and never have been, security boundaries in AD, as there are other ways to
use one domain to damage other domains or the entire forest.
SID filtering is unwieldy, unnecessary and inappropriate for the issue to
which you are referring, which was the spoofing of the SIDHistory attribute
on an account from one domain in the forest to use against another domain in
the forest.
So, in a nutshell, the vulnerability to which you refer is quite old.
HTH,
Laura
-----Original Message-----
From: Nolan, Tim [mailto:NolanTim@bfusa.com]
Sent: Monday, March 07, 2005 11:33 AM
To: focus-ms@securityfocus.com
Subject: SID Manipulation Issue - Cross Domain Security
Vulnerabilities
Does anyone know if there has been anything done by Microsoft
regarding the SID manipulation issue? This came up a year or
two ago, and it basically meant that the domain was no longer
the security boundary. As I recall, manipulation of a SID in
one domain could be performed to obtain permissions on
another domain within the same forest.
Is anyone aware if any patch, hotfix, service pack or
whatever might have been issued to resolve this
vulnerability? Are there any workarounds?
Another question is around SID filtering - is this an
effective countermeasure? Or is it really impractical for
very large domains with frequent changes?
Thanks for any help or info you might have on this....
Tim
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
