I know that this topic was brought up a few weeks ago, but we have been doing some research internally on this issue and have reached some disturbing conclusions.
First of all, when Microsoft introduced the Windows 2000 domains within a forest structure, the domains were introduced as security and replication boundaries. If you had a situation where you needed to keep two divisions of your company completely separate from each other, you could create two domains. Each division could have complete control over their domain and not be able to affect the other. Since they are all part of the same forest, they are able to share a common global catalog, and more importantly a common Exchange 2000 address book. This understanding has been the basis for Windows 2000 designs for the past two years.
Now, Aelita Software has identified a bug that affects this model. Specifically, if you are an administrator for Domain A, and you have a means of modifying the SIDHistory attribute, you could insert the SID from Domain B's Domain Administrator account into yours. This would then give you Administrative level access to Domain B and violate the security barrier. The original whitepaper from Aelita can be found at http://www.aelita.com/solutions/ADSecurity/SIDH_implications.htm <http://www.aelita.com/solutions/ADSecurity/SIDH_implications.htm> .
Microsoft issued a response and an analysis of the problem in MS02-001. Basically, they acknowledged it was a problem but decided it was not too severe. They did release a patch to prevent the SIDHistory value from being read, but it cannot be used between domains within the same forest as it would break replication. Their analysis was that it would be very difficult to manipulate the SIDHistory value. Their recommendation was that if this issue was a problem, separate forests should be considered.
This is not a very good answer for a couple of reasons. First of all, most of the third part tool vendors have methods of manipulating the SIDHistory value as part of their migration suites. This proves that it can be done, so it is only a matter of time before a program is developed to do this. Secondly, Windows 2000 security permits authenticated users of one domain to do an LDAP query to another domain to obtain the SID of any object. This makes it trivial to both locate an administrative SID and add it to a local user account. Microsoft's suggestion of multiple forests makes things such as global email directories and global catalogs difficult to implement. NetWare does not have this kind of privilege escalation problem and neither should Windows.
I recommend that the community push Microsoft to develop a means of disabling the SIDHistory between domains in a forest such that it does not affect replication and other things. Windows 2000 forests should be able to have domains that can be secured from each other. If Microsoft chooses not to do this, this represents a significant issue in designing a flexible Windows 2000 infrastructure.
Jim Barrett, CISA, CCNP, MCSE, MCT Senior Consultant Microsoft Consulting Practice Lucent Technologies ESS 781-848-5500 ext. 445 <mailto:firstname.lastname@example.org> mailto:email@example.com
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Delivery co-sponsored by VeriSign - The Internet Trust Company oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Do you have 128-bit SSL encryption server security? Get VeriSign's FREE Guide, "Securing Your Web Site for Business," and learn everything you need to know about using 128-bit SSL to encrypt your e-commerce transactions, secure your intranets and authenticate your Web site. 128-bit SSL is serious security for your online business. Get it now! http://www.verisign.com/cgi-bin/go.cgi?a=n094765650008000 oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo