Creating trusts between two forests raises two security concerns: SID
While this is a legitimate vulnerability, it is not an easy attack to perform. Especially since it currently requires administrative access on the original domain in order to modify the SIDs attached to the user account's access token. However, taking steps to prevent such attacks is important. Microsoft has designed a SID Filtering countermeasure to address this issue which is included in Windows Server 2003 and Windows 2000 Server Service Pack 4. All systems should be upgraded to these versions before establishing the external trust. If you are using older versions of Windows Server or you already have external trusts created, SID Filtering can be enabled using the NETDOM command line utility.
The second risk is rogue administrators. Once the forest to forest external trust is established, it is possible to add users from the trusted domain into the domain local groups of the trusting domain. If a user from one forest is added into an administrative domain local group of the root of another forest, the isolation of the forests is compromised. This also means that if users that are granted administrative access are not trustworthy, they have enough privilege to damage the forest. As a general rule or principle, do not add users from one forest into administrative or service management groups of another forest.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
This was first published in February 2004