Security Home > Windows NT, 2000 & XP

Forged SID Could Result in Elevated Privileges New

A security vulnerability exists in the domain authenication process of Windows NT and 2000 server which could allow a malicious user to gain administrative privileges on a trusting domain.


Microsoft Windows NT 4.0 protects system resources with access control lists (ACLs). ACLs are lists of security identifiers (SIDs), and a list of access rights or permissions that are granted to that security principal. SIDs are relative to a domain. The SID of a user or group from a domain is always based on the SID of the domain, and uniquely identifies the user or group. ACLs are placed on a resource to indicate which users and groups are permitted to access it, and what level of access they are allowed. When a user attempts to access the resource, Windows NT compares the list of SIDs in the ACL to the list of SIDs that identify the user and his group memberships, and grants or denies access as appropriate.

When a user logs on to a domain, the user's account SID and group membership SIDs are determined by a domain controller in the user's account domain. The SID of the trusted domain, the relative ID (RID) of the user's account, the RID of the user's primary group, and the SIDs of all other group memberships are combined into an authorization data structure and passed to the requesting computer.

When the computer that is requesting user authentication is in a different domain than the user's account, authentication occurs using a trust. Trust is created between Windows NT-based or Windows 2000-based domains to simplify the user's authentication experience, especially by enabling single sign-on. When one domain trusts another, it means that the trusting domain will allow the trusted domain to authenticate the users (or computers) whose accounts it manages. During authentication, the computer in the trusting domain accepts the authorization data provided by the trusted domain controller. There is no way for the computer that is requesting authentication to determine the validity of the authorization information, so it accepts the data as accurate based on the existence of the trust relationship.

A vulnerability exists because the trusting domain does not verify that the trusted domain is actually authoritative for all the SIDs in the authorization data. If one of the SIDs in the list identifies a user or security group that is not in the trusted domain, the trusting domain accepts the information and uses it for subsequent access control decisions. If an attacker inserted SIDs into the authorization data at the trusted domain, the attacker could elevate his or her privileges to those that are associated with any user or group, including the domain administrators group for the trusting domain. This would enable the attacker to gain full domain administrator access on computers in the trusting domain.

It is very hard to exploit this vulnerability. At a minimum, an attacker would need administrative privileges on the trusted domain, and the technical wherewithal to modify low-level operating system functions and data structures.

To counter these potential attacks, Microsoft has added a feature called SID filtering to Windows NT 4.0. With SID filtering, an administrator can cause the domain controllers in a given domain to "quarantine" a trusted domain. This causes the domain controllers in the trusting domain to remove all SIDs that are not relative to the trusted domain from any authorization data that is received from that domain. Quarantining is performed from the trusting domain, and is done on a per-domain basis.

Affected Products

  • Microsoft Windows NT 4.0 and Windows 2000


A software patch can be downloaded from the following locations:

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: January 30, 2002

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<