Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-8538	AD.0190	SV-9035r3_rule	ECAN-1 ECCD-1 ECCD-2	Medium

Description
Under some circumstances it is possible for attackers or rogue administrators that have compromised a domain controller in a trusted domain to use the SID history attribute (sIDHistory) to associate SIDs with new user accounts, granting themselves unauthorized rights. To help prevent this type of attack, SID filter quarantining is enabled by default on all external trusts. However, it is possible for an administrator to change this setting or the trust may have been created in an older version of AD. SID filtering causes SID references that do not refer to the directly trusted domain or forest to be removed from inbound access requests in the trusting domain. Without SID filtering, access requests could contain spoofed SIDs, permitting unauthorized access. Also, in cases where access depends on SID History or Universal Groups, failure to enable SID filtering could result in operational problems, including denial of access to authorized users. When the quarantine switch is applied to external or forest trusts, only those SIDs from the single, directly trusted domain are valid. In effect, enabling /quarantine on a trust relationship will break the transitivity of that trust so that only the specific domains on either side of the trust are considered participants in the trust.

Description

Under some circumstances it is possible for attackers or rogue administrators that have compromised a domain controller in a trusted domain to use the SID history attribute (sIDHistory) to associate SIDs with new user accounts, granting themselves unauthorized rights. To help prevent this type of attack, SID filter quarantining is enabled by default on all external trusts. However, it is possible for an administrator to change this setting or the trust may have been created in an older version of AD. SID filtering causes SID references that do not refer to the directly trusted domain or forest to be removed from inbound access requests in the trusting domain. Without SID filtering, access requests could contain spoofed SIDs, permitting unauthorized access. Also, in cases where access depends on SID History or Universal Groups, failure to enable SID filtering could result in operational problems, including denial of access to authorized users. When the quarantine switch is applied to external or forest trusts, only those SIDs from the single, directly trusted domain are valid. In effect, enabling /quarantine on a trust relationship will break the transitivity of that trust so that only the specific domains on either side of the trust are considered participants in the trust.

STIG	Date
Active Directory Domain Security Technical Implementation Guide (STIG)	2011-05-12

Details

Check Text ( C-7700r2_chk )
1. Start the Active Directory Domains and Trusts console (Start, Run, "domain.msc”). 2. Select the left pane item that matches the name of the domain being reviewed. 3. Right-click the domain name and select the Properties item. 4. On the domain object Properties window, select the Trusts tab. 5. Use the following command to verify the quarantine setting for each trust. netdom trust /d: /quarantine 6. If the output of the netdom commands indicates that SID filtering is not enabled for each trusting external or forest trust, then this is a finding.

Check Text ( C-7700r2_chk )

1. Start the Active Directory Domains and Trusts console (Start, Run, "domain.msc”).

2. Select the left pane item that matches the name of the domain being reviewed.

3. Right-click the domain name and select the Properties item.

4. On the domain object Properties window, select the Trusts tab.

5. Use the following command to verify the quarantine setting for each trust.
netdom trust /d: /quarantine

6. If the output of the netdom commands indicates that SID filtering is not enabled for each trusting external or forest trust, then this is a finding.

Fix Text (F-8065r2_fix)
Enable SID filtering on all external or forest trusts. You can enable SID filter quarantining only from the trusting side of the trust. Enter the following line from a command line. netdom trust /d: /quarantine:Yes /usero: /passwordo: