ExplainTheHack
← Back to Domain Trusts

Domain Trusts Brief

What It Is

A trust is a relationship between two domains that allows users in one domain to authenticate to resources in the other. Trusts have three properties: direction (one-way or two-way), transitivity (whether the trust extends through chains), and type (intra-forest or inter-forest). The forest is the real security boundary, not the domain.

Key Trust Properties

  • Direction — 'A trusts B' means B's users can access A's resources; access flows opposite to intuition
  • Intra-forest trusts — automatic, two-way, transitive, no SID filtering; compromise spreads across the forest
  • Inter-forest trusts — manual, configurable direction, non-transitive by default, SID-filtered
  • SID filtering — strips foreign SIDs from tokens crossing inter-forest boundaries; prevents SID injection
  • Authentication ≠ authorization — a trust enables authentication across the boundary but does not grant permissions

Forest as Security Boundary

Domains within a forest share a schema, configuration partition, and transitive two-way trusts without SID filtering. Enterprise Admins in the forest root control every domain. Compromising one domain typically provides a path to all others. Separate domains within a forest do not provide security isolation.

Interview Phrasing

Domain trusts allow users in one domain to authenticate to resources in another. The critical distinction is between intra-forest trusts (automatic, transitive, no SID filtering — compromise spreads) and inter-forest trusts (manual, non-transitive, SID-filtered — more restricted). The forest is the real security boundary. When I enumerate trusts during an assessment, I am mapping the blast radius: where can this compromise reach.

Common Pitfalls

  • Thinking trust direction is intuitive — 'A trusts B' means B's users access A's resources, not the reverse
  • Assuming separate domains within a forest provide security isolation — they do not
  • Treating all trusts as equal risk — intra-forest trusts are far more permissive than inter-forest trusts
  • Skipping trust enumeration during assessments — this means missing cross-domain paths