An Active Directory trust relationship refers to a connection formed between two domains, wherein one is deemed the trusting domain and the other as the trusted domain. With this arrangement, the trusting domain respects the logon authentication of the trusted domain.
Typically, the domain that is trusted accommodates the user accounts, while the domain that is trusting hosts the resources. This implies that individuals belonging to the trusted domain are authorized to access resources in the trusting domain due to their trusted status.
Prerequisites for Establishing an Active Directory Trust
To establish an AD trust between two Active Directory domains, specific conditions must be met. These include:
Network Connectivity: There must be proper communication between the domain controllers of each domain to establish the AD trust. Additionally, resources in the Resource domain should be able to communicate with the domain controllers in the Accounts domain.
10 Best Practices for Keeping Active Directory SecureFollow the best practices suggested in this whitepaper, and you will be in a much better position to keep your AD secure.
Download Whitepaper
DNS Name Resolution: Domain controllers of each domain must be able to resolve DNS records for the other domain’s AD environment.
Accounts Domain Service Account: An AD user account in the Accounts domain is essential for reading user and group objects in the domain. This requirement applies to one-way trusts. In two-way trusts, implicit read-only access is granted by default, and there is no need for a service account. There are no special permissions necessary for the service account, and it simply needs to be a member of the Domain Users group in the Accounts domain.
How are Active Directory Trusts Established?
Trusts can be established through automatic or manual means and can be categorized as transitive or non-transitive.
Transitive trusts: A transitive trust is characterized by Domain A trusting Domain C if both Domain A trusts Domain B and Domain B trusts Domain C.
Non-transitive trusts: In the case of non-transitive trusts, when Domain A trusts Domain B and Domain B trusts Domain C, Domain A does not extend trust to Domain C. Trusts can either be one-way or two-way, and the various types of trusts elaborated below are inherently one- or two-way in nature.
To create an AD trust, ensure that the prerequisites are met and that important security decisions are made beforehand. The trust is created between a resource domain and accounts domain and can be configured for one-way non-transitive or two-way.
To initiate the trust creation from the resource domain, access the Active Directory Domains and Trusts utility, right-click on the object representing the domain, navigate to the Trusts tab and proceed through the New Trust Wizard
You will then need to…
Provide the Trust Name, Trust Type, Direction of Trust, and Sides of Trust. Enter the User Name and Password for the account with Domain Admins membership in the accounts domain and configure the Outgoing Trust Authentication Level.
Finally…
Confirm the outgoing and incoming trusts and review the status of the trust creation and click Finish.
What are the Different Types of AD Trusts?
Tree-root trust
When a new tree-root domain is added to a forest, a trust among its tree roots is established without explicit authorization. This trust only involves the domains that are located at the top of each tree. These two-way transitive trusts are created automatically.
Parent-child trust
By creating a new child domain in a tree, a parent-child trust relationship is established without the need for explicit action. As part of this process, DCPromo generates a two-way transitive trust relationship between the new domain and the domain directly above it in the DNS hierarchy.
Shortcut trust
To improve user logon time for those who access computers in another domain within the forest, a system administrator needs to manually create a shortcut trust between two domains in the same forest. This is usually required in large forests, and the trust is transitive and can be set up as a one- or two-way configuration.
External trust
A system administrator is required to create an external trust between domains located in different forests or between a domain in an Active Directory forest and a Windows NT 4.0 or earlier domain. The external trust proves helpful when transferring resources from a Windows NT 4.0 domain to an Active Directory domain. It is non-transitive and can be established either one-way or two-way.
Forest trust
To establish a forest trust between two forest root domains (Windows 2003 and beyond), a systems administrator must create it deliberately. This trust enables all domains in one forest to trust all domains in another forest transitively. Nonetheless, this trust does not spread transitivity over three forests or more. Forest trusts can be either one- or two-way and are solely accessible when the forest functional level is configured to Windows Server 2003 or higher.
Realm trust
To connect a non-Windows Kerberos realm with a Windows 2003 or newer domain, a system administrator needs to establish a realm trust. It can be either transitive or non-transitive, and can operate in one or both directions.
Security Considerations for Active Directory Trusts
Windows Server 2003 interforest trusts are vulnerable to two types of attacks that could compromise the trusts and their resources. The first attack involves a malicious user with administrative credentials in a trusted forest monitoring authentication requests to acquire a user’s security ID information in the trusting forest. The second attack involves a malicious user in another organization’s forest gaining access to shared resources in a trusting forest by exploiting the pathway created by an external or forest trust. To prevent these attacks, SID filtering and selective authentication can be set on interforest trusts.
Security Settings for Interforest Trusts
Windows Server 2003 has two security options for interforest trusts: SID filtering and selective authentication. SID filtering blocks malicious users from gaining control of a trusting forest by preventing the misuse of the SID history attribute. The attribute, used for migrating users and group accounts to new domains, can also be exploited by attackers to elevate their privileges. Selective authentication restricts the number of authentication requests that can pass through an interforest trust, reducing the attack surface. While Windows includes APIs for facilitating account migration, they require administrative credentials for both domains and are unlikely to be misused.
Tips for Securing Trusts in Active Directory
Securing trusts in Active Directory is essential for maintaining the security of your network and data. Below are some of the key steps to follow:
- Use strong passwords for all trust relationships.
- Update and patch your Active Directory regularly.
- Enable auditing and monitoring to detect any unauthorized access attempts.
- Implement two-factor authentication for all trust relationships.
- Limit the number of trust relationships to the minimum necessary.
- Configure trust authentication to use selective authentication instead of domain-wide authentication.
- Implement network segmentation to isolate sensitive data and critical resources.
- Use encryption to protect data in transit between domains.
- Regularly review and audit all trust relationships to detect any unauthorized or unnecessary trusts.
- Train and educate your users on the importance of securing trust relationships and the risks associated with allowing unauthorized access.
Related Articles:
- Top 10 Active Directory Attack Methods
- Active Directory Password Policy Guide
- Methods to Identify Privileged Users in Active Directory
- How to Find Account Lockout Source and Cause in Active Directory
How Lepide Helps Secure Active Directory
The Lepide Data Security Platform helps to secure trusts in Active Directory by providing continuous monitoring and tracking of all changes and activities being performed on the trust relationships between different domains within the AD forest. This allows administrators to quickly detect and respond to any unauthorized access attempts, suspicious behavior, or other security threats that may arise within the trust relationships.
The Lepide platform provides visibility into all events related to trust relationships, including changes to trust settings, addition or removal of trusts, failed authentication attempts, and other security-related events. This visibility enables quick identification and resolution of security issues, helping to prevent security breaches and unauthorized access to sensitive resources. Additionally, real-time auditing helps to meet compliance requirements by generating detailed reports of all trust-related activities.
If you’d like to see how the Lepide Data Security Platform can help you monitor your AD trust relationships, schedule a demo with one of our engineers.
