Friday, 12 July 2013

Why a Forest is the Security Boundary in AD (SID Filtering flaw)

Initially, the domain was seen as the security boundary in Active Directory.
However, following discovery of the SID filtering flaw, this has been changed so that the security boundary is now defined at the forest level.

The SID filtering flaw is this:
A trusting domain does not verify that the trusted domain is authoritative for all of the SIDs in the authorisation data. Therefore, if an attacker can populate SIDHistory with SIDs manually, they could elevate their permissions in any trusting domain, even to the point where they could add the SIDs for a domain admin in a trusting domain into their authorisation data.
Within a forest, the trust arrangements mean that SID filtering is not appropriate.
In order to do this an attacker would have to:

  • possess administrative privileges in the trusted domain.
  • have enough technical knowledge to modify low level OS functions and data structures: SIDHistory does not come with any programming interfaces that would allow an attacker to populate it manually, even if they have admin rights. Therefore the attacker needs to perform a binary edit of the SIDHistory data structures.
With SID filtering, the DCs in the trusting domain remove all SIDs that are not relative to the trusted domain from any authorisation data received from that domain.
So removing SID filtering is a risky step to take as it extends the security boundary outside of the forest.

No comments:

Post a Comment