Attack Computer Wiz

Establishing an external domain trust has many benefits when separate domains need to share services and data. However the convenience of a domain trust comes at a great risk to the entities within each domain. When establishing a domain trust there is two options for defining the way that users from the trusted domain authenticate to the trusting domain.

The first method is called “Domain-wide authentication”. With this method users from the trusted domain are able to access servers, services, shares and files with normal NTFS and share permissions. In my opinion this places the trusting domain at risk of group nesting or permission creep.

The second method is my preferred method. “Selective authentication” takes a “deny all” approach explicitly blocking all access at the server level to all users who are not explicitly granted the “Allowed to authenticate” permission. With this method administrators must grant rights to each system they wish to allow access to in addition to the NTFS and share permissions. It is an extra level and security and may give your domain administrators a little ease when considering the domain trust risks.

To enable selective authentication there are a few prerequisites. The user preforming the action on the trusting domain must be a Domain Admin or an Enterprise Admin. The domain functional level must be set to a minimum of Windows 2003.

To configure selective authentication on an existing trust:

1. Open the Active Directory Domains and Trusts snap-in.
2. Right click the domain that you wish to configure and click ‘Properties’.
3. Click on the ‘Trusts’ tab.
4. Select the trust you wish to configure and click the ‘Properties’ button.
5. Click the ‘Authentication’ Tab and then click the ‘Selective Authentication’ radio button. 
6. Click ‘OK’.

To configure selective authentication during the creation of a new trust:

1. Open the Active Directory Domains and Trusts snap-in.
2. Right click the domain that you wish to configure and click ‘Properties’.
3. Click on the ‘New Trust’ button.
4. While you are walking through the New Trust Wizard you will be prompted for the authentication type. Select ‘Selective Authentication’ and finish the setup.

Take note, if you do not see the Selective Authentication option during the trust creation or you cannot select it from the 'Authentication' tab, it is most likely that the functional level of your domain is not set to 2003 or better.

The last step in this process is to create a Domain Local Group in which you wish to add users from the trusted domain. The users added to this group will be allowed to authenticate to sepcific computers/servers. After the group is created:

1. Open the "Active Directory Users and Computers snap-in.
2. Navigate the tree and locate the specific computer/server that you with to grant access to.
3. Right click on the computer/server object and choose 'Properties'.
4. Click on the 'Security' tab.
5. Click the 'add' button and search and select the Domain Local Group that you have just created.
6. Once back at the 'Security' tab screen, in the lower half, find the "Allowed to Authenticate' permission and check the 'Allow' box.
7. Click "Apply'/'OK'.

At this point, any user that you have added to that Domain Local Group will be allowed to authenticate to any resource on that specific computer/server. You will need to repeat this process for every system that you wish to grant access to and you will still need to configure NTFS and share permissions accordingly.


Microsoft

Posted by Mike Wright