risk of having a child domain in your forest for another company

  • Last Post 08 February 2018
MatCollins posted this 06 February 2018

hello,if another company has a child domain in your forest, and they are DA of their own domani (still a child domain in your forest), what are the risks?

i know it was possible to use 'nt authority\system\ to escalate privileges and create an enterprise admin user by using gpo linking to site, but now i cant seem to get it to work as a demo to convince my boss about this bad practice.

can u tell me what are the other risks if you have a child domain in your forest where it has a separate group of DA?


Order By: Standard | Newest | Votes
barkills posted this 06 February 2018


is the Microsoft source material for your boss. Yes, a security bulletin from 15+ years ago.



“If an attacker had sufficient privileges in a trusted domain, and he could modify the behavior of the security subsystem of the domain controller, he could insert

SIDs of his choice into the authorization data and thereby elevate his privileges when connecting to computers in the trusting domain.”


And another key section:

“Can I apply SID Filtering to domains within the same forest in a Windows 2000 network?

No. SID Filtering should only be applied to external trusts -- that is, trust relationships between domains that are not in the same forest. It should not be

applied to trust relationships within a forest, as doing so will block replication and other functions that are essential to the proper operation of forest. If a domain is sufficiently untrustworthy to warrant applying SID Filtering to it, it really should

not be a member of the forest.”


Some of the statements in that bulletin haven’t aged well. For example, this statement:

“How hard would it be for an attacker to modify the authorization data?

It would be extremely difficult.”


Is now an overstatement. I’ve seen walkthroughs which explain how to do this.






MatCollins posted this 07 February 2018

thank you brian, i read the link you provided and it was hepful. just one question

in that link, it indicated sid filtering is not recommended for trust inside a forest, but it is better configured for external trust. if we configure sid filtering for domains in a a forest, why it should break replication? i mean, if a child domain request replication data from root, both root forest user and child will be responsible for initiating the replication and no user from other domains are involved. having said that, why sid filtering cause problems inside a forest of multiple child domains?

johnglenn posted this 08 February 2018

Short Answer
You can apply SID filtering to trusts within the same forest.  Microsoft's guidance is to not apply SID filter quarantining to trust within a forest at functional levels under 2003 because it will affect replication; at forest functional levels of 2003 or higher, it could still affect the use of universal group membership (see the second note section on this page).  Note that some outdated guidance from Microsoft referring to Windows 2000 domains does state that SID filtering should not be applied within a domain lest it break replication - as long as you are running at forest functional level 2003 or higher, you should feel free to apply SID filtering at your discretion.
Cause for Confusion
There is a lot of confusion and misinformation on this topic because some bloggers or anonymous pages citing no sources have incorrectly asserted that SID filtering and SID filter quarantining are the same thing; also, they have made their cases with no regard for forest functional levels behaving differently or being able to tolerate different configurations.  Here's the difference as explained by the Active Directory Cookbook (as quoted here):

SID filtering would accept SIDs from both the adatum.com domain and its child domain emea.adatum.com

SID filter Quarantining: When Quarantine is enabled,the only SIDs that are used as part of a

user’s token are from those domains inthe trusted domain itself. So if

the trusted domain is adatum.com, which has a child domain called

emea.adatum.com, Quarantine will only accept SIDs from adatum.com

itself. Even domain SIDs that are a part of the trusted domain’s trust

path are not included, so an SID from emea.adatum.com would be stripped

from the user’s access token.