Trusts and Forests

Trusts

Trusts are a Kerberos concept that has been adopted by Microsoft in Active Directory to allow users in a domA domain to access resources in the domB domain. The Kerberos realm (Active Directory domain) domB will delegate user authentication to the domA domain.

A trust is very practical to facilitate the merger of two companies during a takeover for example.

However, there are a number of possible misappropriations on trusts, and the cleanest way is often to merge the domains. This is the recommendation of Tranquil IT. It also makes the day-to-day management of the Active Directory easier, as there would be no need to replicate GPOs, etc.

There is a case where a trust is recommended by ANSSI: to make a unidirectional approval relationship from an administrative domain to a production domain. This technique is notably used to better protect privileged accounts by isolating them on another domain that will be better secured and protected.

There are several characteristics for a trust relationship:

  • Transitive or intransitive trust;

  • Bi-directional or uni-directional trust;

  • Shortened trust;

  • Etc;

Domain forests

The Active Directory domain defines a common authentication domain based on the same Active Directory database. This allows you to define limits to this authentication domain for users and their resources.

When Microsoft conceptualized Active Directory over 20 years ago, server performance was the same as today’s phones. Moreover, Active Directory technology was new and still had many bugs.

To do this, Microsoft imagined creating the notion of a forest, which allowed several domains to be put under the same roof. This allowed to solve the problem of scaling up, and also (on paper) to simply make the delegation of rights (e.g. the foreign subsidiary with its own domain different from the headquarters domain).

In practice, the first problem has been solved over time. Today the Microsoft-AD and Samba-AD technologies are mature and the servers are much more powerful. They allow to make domains with tens of thousands of users without the need to split them into several sub-domains.

Moreover the isolation of administration rights by separating them into sub-domains did not resist the creativity of attackers, and today a person with Domain Admins access to a sub-domain can easily become Enterprise Admins, i.e. Administrator of the whole forest.

Recommendations

It is therefore preferable today to consolidate the different domains into one rather than keeping several domains with trust relationships. Starting with Active Directory 2012, it is possible to use the silo technique within a single domain to isolate different user populations.