Security Risks of a One-Way Trust Relationship between Domains


Solution 1

Your vendor would not have access resources in your forest with a one-way trust, so the risk to your environment is somewhat minimized on ad AD functional level.

On a network level, there are a truckload of ports that need to be opened between your domain controllers and the vendors domain controllers. If their domain controllers or application servers are compromised, the compromised vendor machines may have direct network-level access to attack your domain controllers.

Attackers may also be able to compromise the hash of your accounts that are authenticating on the vendor's systems, and use those compromised credentials to gain access to your environment.

Federated solutions are usually a far better choice.

Solution 2

The security risk of a domain trust are that your environment is compromised it could be possible to use sidhistory for privilege escalation. Most secure is cross forest trust as that allows for the secure transmission of foreign security principles (and more importantly they are identified as foreign). You can also use selective authentication to ensure that only the proper FSP is allowed in.

The one indirect issue with trusts of any kind is that authenticated users membership means authenticated users - that will include authenticated users from the external forest.


Related videos on Youtube

Benjamin Hubbard
Author by

Benjamin Hubbard

I work a lot with PowerShell, trying to learn as much as I can.

Updated on September 18, 2022


  • Benjamin Hubbard
    Benjamin Hubbard almost 2 years

    A vendor is asking us to create a one-way trust relationship between their domain and ours so that our users can log onto their applications/servers with credentials from our domain.

    What are the security risks involved? My first thought is to deny the request and insist that they install their application on servers we have verified and that we monitor/scan on our domain. But I'd like to have something to back me up so that it isn't just "because I said so."

    EDIT: Their servers are located on-site here but on their own domain (something.local).

    • raja
      raja about 9 years
      If it's between domains it is in your environment - are you sure you are not referring to cross forest trusts?
    • Tony Hinkle
      Tony Hinkle about 9 years
      Typically with a vendor this would be a federated trust--is that what they are asking for?
    • raja
      raja about 9 years
      NO - a federated trust typically means using SAML Federation services like Ping federate or ADFS. That's more secure from an AD point of view since you are not using Kerberos but SAML claims.
  • raja
    raja about 9 years
    Network port issues can be somewhat mitigated, however you can help mitigate PtH attacks by using IPSEC to prevent lateral traversal.