{
	"id": "fdddca04-84b1-445d-a9c8-60165900523a",
	"created_at": "2026-04-06T00:06:54.371687Z",
	"updated_at": "2026-04-10T03:20:29.342885Z",
	"deleted_at": null,
	"sha1_hash": "9f3324392ac7a71d6dbff2bc04bfc7e645129568",
	"title": "Configuring SID Filter Quarantining: Domain and Forest Trusts; Active Directory",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37542,
	"plain_text": "Configuring SID Filter Quarantining: Domain and Forest Trusts;\r\nActive Directory\r\nBy Archiveddocs\r\nArchived: 2026-04-05 19:58:45 UTC\r\nApplies To: Windows Server 2008, Windows Server 2008 R2\r\nSecurity principals in Active Directory Domain Services (AD DS) have an attribute, called SID history, to which\r\ndomain administrators can add users’ old security identifiers (SIDs). This is useful during Active Directory\r\nmigrations so that administrators do not have to modify access control lists (ACLs) on large numbers of resources\r\nand users can use their old SIDs to access resources. However, under some circumstances it is possible for\r\nattackers or rogue administrators that have compromised a domain controller in a trusted domain to use the SID\r\nhistory attribute (sIDHistory) to associate SIDs with new user accounts, granting themselves unauthorized rights.\r\nTo help prevent this type of attack, SID filter quarantining is automatically enabled on all external trusts that are\r\ncreated from domain controllers running either Windows Server 2003 or later operating systems. External trusts\r\nthat are created from domain controllers running Windows 2000 Server with Service Pack 3 (SP3) or earlier do\r\nnot have SID filter quarantining enforced by default. These external trusts must be configured manually to enable\r\nSID filter quarantining.\r\nNote\r\nYou cannot turn off the default behavior in Windows Server 2003 or Windows Server 2008 that enables SID filter\r\nquarantining for newly created external trusts. However, under certain conditions SID filter quarantining can be\r\ndisabled on such an external trust. For information about conditions for disabling SID filter quarantining, see\r\nDisable SID filter Quarantining.\r\nExternal trusts that are created from domain controllers running Windows 2000 Server with SP3 or earlier do not\r\nenforce SID filter quarantining by default. To further secure your forest, consider enabling SID filter quarantining\r\non all existing external trusts that are created from domain controllers running Windows 2000 Server SP3 or\r\nearlier. You can do this by using Netdom.exe to enable SID filter quarantining on existing external trusts or by\r\nrecreating these external trusts from a domain controller running Windows Server 2008, Windows Server 2003, or\r\nWindows 2000 Server with Service Pack 4 (SP4).\r\nYou can use SID filter quarantining to filter out migrated SIDs that are stored in SID history from specific\r\ndomains. For example, where an external trust relationship exists so that the one domain, Contoso (running\r\nWindows 2000 Server domain controllers), trusts another domain, Cpandl (also running Windows 2000 Server\r\ndomain controllers), an administrator of the Contoso domain can manually apply SID filter quarantining to the\r\nCpandl domain, which allows all SIDs with a domain SID from the Cpandl domain to pass but all other SIDs\r\n(such as those from migrated SIDs that are stored in SID history) to be discarded.\r\nNote\r\nhttps://technet.microsoft.com/library/cc794757.aspx\r\nPage 1 of 2\n\nDo not apply SID filter quarantining to trusts within a forest that is not using either the Windows Server 2008 or\r\nWindows Server 2003 forest functional level, because doing so removes SIDs that are required for Active\r\nDirectory replication. If the forest functional level is Windows Server 2008 or Windows Server 2003 and\r\nquarantining is applied between two domains within a forest, a user in the quarantined domain with universal\r\ngroup memberships in other domains in the forest might not be able to access resources in nonquarantined\r\ndomains, because the group memberships from those domains are filtered when resources are accessed across the\r\ntrust relationship. Likewise, SID filter quarantining should not be applied to forest trusts.\r\nFor more information about how SID filtering works, see Security Considerations for Trusts\r\n(https://go.microsoft.com/fwlink/?LinkID=111846).\r\nTask requirements\r\nYou can use either of the following tools to perform the procedures for this task:\r\nActive Directory Domains and Trusts\r\nNetdom.exe\r\nFor more information about using the Netdom command-line tool to configure SID filtering settings, see Netdom\r\nOverview (https://go.microsoft.com/fwlink/?LinkId=111537).\r\nTo complete this task, you can perform the following procedures:\r\nDisable SID filter Quarantining\r\nReapply SID Filter Quarantining\r\nSource: https://technet.microsoft.com/library/cc794757.aspx\r\nhttps://technet.microsoft.com/library/cc794757.aspx\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://technet.microsoft.com/library/cc794757.aspx"
	],
	"report_names": [
		"cc794757.aspx"
	],
	"threat_actors": [],
	"ts_created_at": 1775434014,
	"ts_updated_at": 1775791229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9f3324392ac7a71d6dbff2bc04bfc7e645129568.pdf",
		"text": "https://archive.orkl.eu/9f3324392ac7a71d6dbff2bc04bfc7e645129568.txt",
		"img": "https://archive.orkl.eu/9f3324392ac7a71d6dbff2bc04bfc7e645129568.jpg"
	}
}