Vulnerability V-243484

Open "Active Directory Domains and Trusts". (Available from various menus or run "domain.msc".) Right-click the domain in the left pane and select "Properties". Select the "Trusts" tab. Note any existing trusts and the type. If no trusts exist, this is NA. Access a command line and run the following command on the trusting domain: "netdom trust <trusting domain> /d:<trusted domain> /quarantine" If the result does not specify the following, this is a finding. "SID filtering is enabled for this trust. Only SIDs from the trusted domain will be accepted for authorization data returned during authentication. SIDs from other domains will be removed." If the trust type is Forest, run the following command on the trusting domain: "netdom trust <trusting domain> /d:<trusted domain> /enablesidhistory" If the result does not specify "SID history is disabled for this trust", this is a finding.

Ensure SID filtering is enabled on all external trusts. You can enable SID filtering only from the trusting side of the trust. Enter the following line from a command line: netdom trust <TrustingDomainName> /d:<TrustedDomainName> /quarantine:Yes /usero:<DomainAdministratorAcct> /passwordo:<DomainAdminPwd> Ensure SID history is disabled for all forest trusts. You can disable SID history only from the trusting side of the trust. Enter the following line from a command line: netdom trust <TrustingDomainName> /d:<TrustedDomainName> /enablesidhistory:No /usero:<DomainAdministratorAcct> /passwordo:<DomainAdminPwd>