Domain Trusts Brief
What It Is
A trust is a relationship between two domains that allows users in one domain to authenticate to resources in the other. Trusts have three properties: direction (one-way or two-way), transitivity (whether the trust extends through chains), and type (intra-forest or inter-forest). The forest is the real security boundary, not the domain.
Key Trust Properties
- Direction: 'A trusts B' means B's users can access A's resources; access flows opposite to intuition
- Intra-forest trusts: automatic, two-way, transitive, no SID filtering; compromise spreads across the forest
- Inter-forest trusts: manual, configurable direction, non-transitive by default, SID-filtered
- SID filtering: strips foreign SIDs from tokens crossing inter-forest boundaries; prevents SID injection
- Authentication ≠ authorization: a trust enables authentication across the boundary but does not grant permissions
Forest as Security Boundary
Domains within a forest share a schema, configuration partition, and transitive two-way trusts without SID filtering. Enterprise Admins in the forest root control every domain. Compromising one domain typically provides a path to all others. Separate domains within a forest do not provide security isolation.
Interview Phrasing
Domain trusts allow users in one domain to authenticate to resources in another. The critical distinction is between intra-forest trusts (automatic, transitive, no SID filtering, compromise spreads) and inter-forest trusts (manual, non-transitive, SID-filtered, more restricted). The forest is the real security boundary. When I enumerate trusts during an assessment, I am mapping the blast radius: where can this compromise reach.
Common Pitfalls
- Thinking trust direction is intuitive: 'A trusts B' means B's users access A's resources, not the reverse
- Assuming separate domains within a forest provide security isolation: they do not
- Treating all trusts as equal risk: intra-forest trusts are far more permissive than inter-forest trusts
- Skipping trust enumeration during assessments: this means missing cross-domain paths