Shulou(Shulou.com)06/02 Report--

It has been nearly a year since Lao Wang released a series of articles on the migration of shared permissions. The series of articles on file server migration written at that time seemed perfect, but in fact, for Lao Wang, I could only give myself a score of 80. Why? because in the end, when I tested SID Filtering, I didn't get the effect. It was always a pity in my heart. I always wanted to make up for this regret, and later I made it up. SID Filtering is an isolation technology that filters SID history to prevent malicious users from bringing SID history to a new forest environment. Two conclusions are drawn from the actual test.

1. By default, SID Filtering starts in an external trust forest environment. Test steps: a domain control belongs to contoso forest, B domain control belongs to apm forest, establish external trust relationship, A forest has a 03 file server, set A domain user Stat has Full Control permission for shared folders, migrate Stat users to B domain control in APM forest, use ADMT for migration, pay attention to whether there is a check to migrate SID records during migration, check it, otherwise you will not see the effect. After the migration is complete, you can see that the Stat user is in the APM forest and the user already has a SID history. The test results show that although the SID history has been migrated, the Stat of the APM forest cannot access the original shared folder of the Contoso forest. According to the intra-forest migration, Stat should be able to access the original shared folder because the SID history has been brought in. But it is obviously not possible to default in the external trust forest environment. Although the migration SID record is checked when ADMT is migrated, and the migrated users also have a SID history, they cannot access the folders that they can access, which means that SID filtering is in effect and enabled by default.

What is SID filtering, to put it simply, is to prevent the transfer of the SID history of malicious users when moving domain users, and then use the distribution group to complete the rights promotion. By Default, Microsoft believes that external trust is relatively insecure, or relatively untrusted. It can be seen from the trust transmission that external trust can not pass trust, forest trust support can be passed up and down, and things cannot be passed. The previous test of Lao Wang also used an external trust environment, but it didn't work, and SID Filtering didn't work.

Now I understand that I migrated the file server to the APM forest at that time. To put it simply, the resources and accounts are in the target forest. Then I used the migrated account to test the access in the same domain in the same forest. It is estimated that SID filtering has no effect at all. This time, I migrated the file server back to the source forest. The resource is in the source forest, and the account is in the target forest. Then the account accesses cross-forest resources and SID filtering detection. Access does not occur within the forest domain, so the SID filtering takes effect, it is the by default that takes effect.

The actual test concluded that by default, only the external trust environment is enabled for sid filtering, and for SID filtering to be effective, resources and accounts must not be in the same domain. Actual testing. Forest level is above 2003, and SID filtering can be enabled for parent-son trust, tree root trust, and forest trust.

two。 SID filtering is enabled by default for external trust, which is good. I will not accept your SID history for all users migrated from the external trust forest, but how can I accept your SID history again? how can external trust turn off SID filtering? like other trusts, Lao Wang has been testing for a whole afternoon, almost numb, trying a variety of foreign methods and reorganizing strategies. Changing the registry and replacing the netdom file could not solve the problem. After reading many articles by foreign masters, I found that they were all the same as mine. Later, I saw a German article, which was very strange. The German's execution order has a parameter that is different from that of others. I guess it may be the problem of the system language. Later, some Poles personally mentioned that the order could not be executed in the German environment. It would be nice to change the English language pack. Later, I was also a doctor. I put down an English language bag and loaded it, which would be fine. The same order could not be executed 100 times in Chinese environment. It would be fine to pack an English language package immediately. Later, I received feedback on the Chinese version of the technet forum. It is a pity that I did not get a response from Microsoft China.

In my environment, two forest environments are hosted by two 2008R2 Chinese standard version domain controllers. I have created external trust.

By default, Sid Filtering is already in effect

When I tried to run the disable SID Filtering command, the above command in the Chinese version of 2008R2 was executed as follows

One command, three different parameters, but got the same reply.

SID filtering has been enabled for this trust. Authorization data returned during authentication

Only SID from trusted domains will be accepted.

SID for other domains will be deleted.

When I put the English language pack on the system, change the display language to English, and execute the same command again, I can get the correct reply and see the effect.

Technet forum post: https://social.technet.microsoft.com/Forums/zh-CN/e3e53a02-efd9-42cd-8a08-f8484ee9c418/2008r2-sid-filteringbug?forum=windowsserversystemzhchs

SID Filtering learning materials

Https://morgansimonsen.com/2012/01/27/some-sid-filtering-notes/

Https://blog.thesysadmins.co.uk/admt-series-3-sid-history.html

SID History and SID Filtering have their own application scenarios, and the design purpose is good. If the migrated users want to be able to access the previous files, ADMT can keep SID records. For security reasons, users who want to migrate to the past will no longer be able to access the original folder, as long as SID filtering is enabled for the trust relationship.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.