Guarding Against Privilege Elevation on Windows 2000 and Windows NT

According to Microsoft Security Bulletin (MS02-002), which Microsoft released on January 30,administrators in one Win2K or NT 4.0 domain can elevate their privileges in a trusted domain without the permission of administrators in the trusted domain. Microsoft has developed a mechanism called Security Identifier (SID) Filtering to help prevent this type of unauthorized privilege elevation. In summary, the new mechanism filters out all SIDs that don't identify a genuine user in the trusted domain. For SID Filtering to become effective, administrators must install the mechanism on all domain controllers (DCs) in a given domain. You can learn more about this risk by reading the Microsoft article, "Forged SID Could Result in Elevated Privileges in Windows 2000," and the Microsoft white paper, "Using Security Identifier (SID) Filtering to Prevent Elevation of Privilege Attacks."

The SID filter first became available in Service Pack 2 (SP2) for Win2K; however, that version didn't protect against privilege elevation. Aelita Software said it worked closely with Microsoft to find a solution for the domain trust vulnerability, culminating in the development of a more fully featured SID filter mechanism that's now part of the Security Rollup Package (SRP) for Win2K.

Aelita's "Protecting Active Directory from Domain Trust Vulnerability," which you can find on Aelita's Web site in HTML and PDF format, explains the nature of the vulnerability. The document gives a brief overview of the Windows security model, explains the domain trust vulnerability in some detail, and discusses the ramifications of the problem--including the impact on AD designs.

On January 30, we reported that Microsoft released a white paper, "Design Considerations for Delegation of Administration in Active Directory," that implies that designers should strongly consider using multiple forests, rather than one forest and multiple domains, to help protect their networks. The release of the white paper coincides with the release of Bulletin MS02-002--both were issued on the same day. Although it's suspicious that the company's white paper doesn't mention the bulletin, Aleita points out that Microsoft's white paper does vaguely elude to the dangers: "Although system software attacks and physical modifications to the directory database appear difficult, only one highly sophisticated attacker needs to build tools for attack. Once the tools are created, they can be distributed to any administrator."

Aelita said it's in the process of developing a white paper, "Best Practices for Designing a Secure Active Directory ," which should be available soon on the company's Web site. People interested obtaining the white paper can go to the site and register to be notified when the document becomes available.