TUCoPS :: Windows Apps :: win5931.htm

Active Directory priviledge escalation of domain admins to all other domains
13th Jan 2003 [SBWID-5931]
COMMAND

	Active Directory priviledge escalation of domain  admins  to  all  other
	domains

SYSTEMS AFFECTED

	AD all releases ??

PROBLEM

	On Tibor Biro wen site :
	
	 http://www.tbiro.com/projects/SHEdit/index.htm
	
	SHEdit is an  offline  editor  for  the  SID  History  Active  Directory
	attribute.  This  tool  goes  around  the  limitation  built  into   the
	DsAddSidHistory API allowing an administrator in any  domain  to  access
	any other domains in the forest as any user.
	
	 How to use:
	 ===========
	 
	- Get the SID for a user in the target domain.
	- Reboot a domain controller in Directory Restore mode.
	- Backup NTDS.DIT (optional).
	- Run SHEdit.
	- Delete all LOG, EDB and CHK files from the %SYSTEMROOT%\NTDS folder. If you used the %SYSTEMROOT%\NTDS folder as your temporary folder then the tool cleaned up all these files for you.
	- Perform an authoritative restore of the AD database if you have multiple domain controllers.
	- Reboot the server. You should have the desired access on the target domain.
	- Use the ClearSIDHistory.vbs script to delete the SID History attribute.
	
	
	 Limitations:
	 ============
	 
	- only one SID History attribute is added, if you run the tool several times only the latest value will prevail.
	- only tested on Windows 2000. If someone tests it on .NET please let me know.
	
	
	 Related links:
	 ==============
	
	Microsoft Security Bulletin MS02-001
	 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-001.asp
	
	Protecting Active Directory from Domain Trust Vulnerability
	 http://www.aelita.com/library/whitepapers/AD_SIDH/Protecting_Active_Directory_from_Domain_Trust_Vulnerability.pdf
	
	Using Security  Identifier  (SID)  Filtering  to  Prevent  Elevation  of
	Privilege Attacks
	 http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
	
	Design  Considerations  for  Delegation  of  Administration  in   Active
	Directory
	 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ad/windows2000/plan/addeladm.asp
	

SOLUTION

	Novell NDS :-)

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH