Trust Relationships
Trusts allow users in one domain or forest to access resources in another. They expand the attack surface dramatically when misconfigured.
Sometimes a company has more than one domain or forest in its network, or it needs to share resources with a partner company. Trust relationships are the mechanism that allows users in one domain to access resources in another. Think of it like two buildings that decide to honor each other's employee badges. Trusts can be one-way (building A honors building B's badges, but not the other way around) or two-way (both buildings honor each other's badges). They can also be transitive, meaning if A trusts B and B trusts C, then A automatically trusts C. While trusts enable collaboration, they also expand the attack surface: compromising one domain in a trust chain can give access to others.
When two countries sign a treaty, citizens of one country can travel to the other with certain privileges. A one-way trust is like a visa that only works in one direction. A two-way trust is like a mutual travel agreement. Transitive trusts mean that if Country A trusts Country B and Country B trusts Country C, then Country A also trusts Country C. In AD, these trust agreements let users cross domain or forest boundaries -- and attackers love to exploit them to hop from a compromised domain into a new one.
Key Takeaways
- Intra-forest trusts are automatic, two-way, and transitive -- making the forest the security boundary.
- External and forest trusts can be one-way or two-way and vary in transitivity.
- SID filtering blocks foreign SIDs from being honored across trust boundaries.
- SID History injection can escalate privileges across forests if SID filtering is disabled.
- Trust keys can be compromised to forge cross-realm Kerberos tickets.
Trusts are often the bridge that attackers use to move from one compromised domain to the rest of the organization. Misunderstanding trust boundaries is one of the most dangerous mistakes an AD architect can make.