3 - Windows Trust Relationships

Abstract

The chapter discusses the process to establish security relationships among Windows domain security authorities trust relationships. The main focus is only on the standard Windows AD trust features in Windows Server 2003 and R2. Trust relationships define an administrative and security link between two Windows domains or forests, which enables the user to access resources located in a domain or forest that's different from the user's proper domain or forest. However, this does not automatically grant user's general access to resources in the trusting domains or forests; the domain or forest administrator still has to assign access rights to the users for the appropriate resources. When a trust relationship is set up between two domains, there's always a trusted and a trusting domain. The trusting domain is the one that initiates the setup of a trust relationship. The trusted domain is the subject of the trust definition. The chapter also discusses the Windows Server 2003 trust properties and types, ways to create trusts, and the working of trust relationships behind the scenes. The discussion specially focuses on forest trust, which is an important new Windows Server 2003 trust type. A secure channel is created between two Windows domain controllers each time a relationship between the domains hosting the DCs is used. In a Windows environment, secure channels are not only set up between domain controllers, they also provide a secure communication path between the security principals. A secure channel enables the secure replication of Active Directory data between domain controllers in the same and different domains. The chapter concludes with the ways to control secure channels setup which includes validation of secure channels, fine-tuning secure channel security services, trust- and secure- channel related management tools; and trust and firewalls.