Creating trusts between two forests raises two security concerns: SID spoofing for privilege escalation and rogue administrators. The SID spoofing vulnerability is the action of adding the SIDs of non-trusted domains to the access token of a security principle (i.e. user account) in such a way that the SIDs are accepted (i.e. authorized) by the trusted domain. A SID contains the domain's ID that the user account was originally created in. When a trust is established, a new user account is created in the newly trusted domain and the SID info from the original domain is added to the sIDHistory value of the new account. The newly trusted domain automatically accepts all SIDs in the sIDHistory value. Thus if non-trusted domains are added to the user's access token in the original domain before migrating to the new domain, a privilege escalation may occur.
While this is a legitimate vulnerability, it is not an easy attack to perform. Especially since it currently requires administrative access on the original domain in order to modify the SIDs attached to the user account's access token. However, taking steps to prevent such attacks is important. Microsoft has designed a SID Filtering countermeasure to address this issue which is included in Windows Server 2003 and Windows 2000 Server Service Pack 4. All systems should be upgraded to these versions before establishing the external trust. If you are using older versions of Windows Server or you already have external trusts created, SID Filtering can be enabled using the NETDOM command line utility.
The second risk is rogue administrators. Once the forest to forest external trust is established, it is possible to add users from the trusted domain into the domain local groups of the trusting domain. If a user from one forest is added into an administrative domain local group of the root of another forest, the isolation of the forests is compromised. This also means that if users that are granted administrative access are not trustworthy, they have enough privilege to damage the forest. As a general rule or principle, do not add users from one forest into administrative or service management groups of another forest.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.