Ensure SID Filtering for Domain and Forest Trusts
Enable SID filtering for enhanced security between domain and forest trusts.
Plain language
This control is all about making sure that only the right people have access to the right things in your computer network. It involves setting up a security check called SID filtering, which helps prevent unauthorised access from other parts of your network. Without this, someone from another part of the network could potentially access sensitive information or disrupt your operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
SID Filtering is enabled for domain and forest trusts.
Why it matters
Without SID filtering on domain/forest trusts, attackers can inject SIDs to gain unauthorised access across trusts.
Operational notes
Regularly verify SID filtering is enabled on all domain/forest trusts and review trust changes at least quarterly.
Implementation tips
- IT team should enable SID filtering: The IT team should configure all domain and forest trusts within the network to enable SID filtering. This means adjusting the settings on the network servers to specify that only trusted security identifiers (SIDs) can be used from other domains.
- System administrators should verify settings: System administrators need to regularly check that SID filtering is enabled on all the trust relationships between domains. They can do this by using network management tools to look at each domain trust setting.
- Security officers should conduct training: Security officers should organise training sessions for IT personnel on why SID filtering is crucial and the basics of how it operates. This helps ensure that everyone responsible for maintaining the network understands its importance and functioning.
- IT team needs to document configurations: When enabling SID filtering, the IT team should keep detailed records of when and how the filters were set up. This can help if there are any issues later and serves as proof for audits.
- Managers should review security policies: Managers responsible for network security should review and update policy documents to include SID filtering as a required control. This formalises the control within the organisation's security framework.
Audit / evidence tips
-
Aska configuration report for domain trusts: Request a report detailing the current settings of domain trusts
Goodis seeing SIDs from external domains are filtered by default
-
Askto see policy documents: Request the security policy or protocol documents that reference SID filtering. Look to ensure SID filtering is mentioned as a required security measure
Goodis a clearly documented policy stating SID filtering is mandatory for all domain trusts
-
Asktraining records: Request proof of training sessions for IT staff on SID filtering
Goodis records showing regular training sessions with comprehensive materials on SID filtering concepts
-
Askchange management records: Request logs or records that detail when SID filtering was enabled or modified
Goodis a clear and detailed change log available for each trust
-
Askto see monitoring tools: Request a demonstration of the tools used to monitor domain trusts
Goodis a tool that visibly shows SID filtering as active and properly configured
Cross-framework mappings
How ISM-1931 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1931 requires SID Filtering to be enabled on domain and forest trusts to prevent abuse of SIDHistory/foreign SIDs across trust bounda... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.8 | ISM-1931 necessitates SID Filtering to be enabled to mitigate the risk of privilege escalation across trust relationships | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.