locked
SID Filtering Enable on Domain Level - Windows 2012 RRS feed

  • Question

  • Hello Experts,

    I have single AD Forest, 1 root domain and 4 child domain which having parent child trust with each other

    Windows 2012 Functional Level

    We find in some security tool that SID Filtering is not enabled on 4 child domain.

    Please suggest is there any risk of enabling SID Filtering on domain level and how to do that from Root domain to child domain
    Early response will be really appreciated

    Thanks, NG

    Saturday, September 5, 2020 7:35 AM

All replies

  • Hi,

    SID filtering prevents any foreign SIDs stored in the SIDHistory attribute from being included in the access token. So, if anything, enabling SID Filtering makes your AD infrastructure *more* secure. Too lazy to check right now but I think it's enabled by default on trusts within a forest.


    Evgenij Smirnov

    http://evgenij.smirnov.de


    Saturday, September 5, 2020 7:49 AM
  • Hello Evgenij,

    I really appreciate you response so promptly..

    Actually my question is more specific for Single forest only, where in one of the Security assesment tool we have found SID filtering is not enabled between root and child domain.

    So enabling SID filtering between parent and child will cause any issue ?

    What i know is Parent child automatic having parent-child trust and two way. SID filtering is more basically for untrusted domain ?

    Please can you confirm this for Single forest structure only.

    Many thanks for your response


    Thanks, NG

    Saturday, September 5, 2020 12:01 PM
  • also further added, few years back might be it was disabled for some migration reason. now no migration going on across the forest.


    Thanks, NG

    Saturday, September 5, 2020 12:03 PM
  • You need to check whether SIDHistory is still populated. You're supposed to clean it out after a migration is complete but it gets forgotten more often than not in my experience.

    If you've still got SIDHistory values in user or group objects, you're going to have to determine whether they might still be used to access resources. And if this should be the case, you'll have to leave SID filtering deactivated until this has been straightened out.

    If you don't have any SIDHistory values anywhere, you're good to activate SID filtering on your trusts, this won't have any impact at all.


    Evgenij Smirnov

    http://evgenij.smirnov.de

    Saturday, September 5, 2020 2:29 PM
  • I am here mentioning about Single forest and SID History is there because user move across child domain or parent domain. But limited to Single forest

    So do we forsee any impact ? will SId History will eb cleared in parent child domain. 

    Or SID history will be clear for Untrusted or foreign domain ?


    Thanks, NG

    Sunday, September 6, 2020 9:48 AM
  • If a trust has SID filtering enabled, any SIDHistory coming over that trust will be discarded.

    Evgenij Smirnov

    http://evgenij.smirnov.de

    Sunday, September 6, 2020 9:55 AM
  • Means forest trust with other forest ?

    will this effect parent child trust SID history ? those already have transitive two way trust 

    my intention is to know that it will not affect anything or break parent child trust ?

    thank you so much for replying me, it would be really appreciate if my query has been answered, i will be then worry free and enable this.


    Thanks, NG

    Sunday, September 6, 2020 10:13 AM
  • Hi,

    you need to read and try to understand my reply from yesterday. If

    • Account A in Domain X has SID History populated (wherever those other SIDs originally come from)
    • Account A needs to access resources in Domain Y (regardless of X and Y belonging to the same forest or to different forests)
    • The permissions for Account A on those resources have been granted using a SID from the history and not the actual SID of Account A (you need to figure out what these resources may be and how to dump permissions from them to check for foreign SIDs)

    then enabling SID filtering between X and Y will break this access. If the SIDs from the history are not being used to grant permissions, enabling SID filtering breaks nothing and helps reduce size of the access token.

    I hope you can understand now why nobody can tell you whether it will break something or not - it's not a purely AD-related, permissions on file servers, SQL servers, Exchange and whatever els you have can play a role here.


    Evgenij Smirnov

    http://evgenij.smirnov.de

    Sunday, September 6, 2020 11:05 AM
  • Hello Evgenij,

    I have also discussed this with Microsoft engineer by opening premier case and as per them If i enable SID filtering within forest means between root and Child Domain, it will not impact anything with removal of SID history from user or Group, because there is already Parent child trust.

    As per them Enabling SID Filtering only affect the removal of SID history for untrusted domain, which is valid for different forest.

    as per them below is the statement from Microsoft... can you check and suggest further

    As we discussed that all your 4 child domains and parent domain have two way transitive parent child trust created as it’s an automatic process.

    A transitive, two-way parent-child trust relationship automatically created and establishes a relationship between a parent domain and a child domain whenever a new child domain is created using the AD DS installation process  within a domain tree. They can only exist between two domains in the same tree with the same contiguous namespace( in our case A Domain). The parent domain is always trusted by the child domain.

    Trust communication flow is determined by the direction of the trust. The trust can be a one-way or a two-way trust. And the transitivity determines whether a trust can be extended beyond the two domains with which it was formed. A transitive trust can be used to extend trust relationships with other domains; a non-transitive trust can be used to deny trust relationships with other domains.

    By above definition In our case all the 4 child domains trust each other and also the parent domain A

    So enabling the SID filtering will not impact anything as already all domains trust each other.

    For example user is in Domain B , now user is accessing resources in domain A, it will be able to access the resources as two-way trust is established between the two. Now if user was previously member of DOMAIN C or it still has membership of groups in domain C and was moved to domain B, there is no trust between domain A and C then while accessing resources in domain A from domain B , trust with sid filtering will remove the SID of user associated with domain C and it groups which is not trusted by domain A


    Thanks, NG

    Sunday, September 6, 2020 12:23 PM
  • Sorry, I can't add anything more to what has already been said. SID filtering is not about somehow magically 'trusting' a foreign SID depending on what domain it's from, it's about that foreign SID being contained in the access token - or not.


    Evgenij Smirnov

    http://evgenij.smirnov.de


    Sunday, September 6, 2020 1:09 PM
  • so according to you it mean, that between parent child also if user having SID history of different domain in same forest that will be removed after SID filtering enabled.

    Thanks, NG

    Sunday, September 6, 2020 3:02 PM