Windows Active Directory Family---Configure trust for AD Domain Services (2)

Source: Internet
Author: User
Tags subdomain subdomain name to domain

Some of the advanced configurations for AD DS trusts are described below:

At some point, trust can cause some security problems. If you configure an inappropriate trust relationship, then some users who should not have permissions will have access to some of your resources, which poses a security risk to your resources. To solve this problem, we can use several techniques to help you manage the security of your control trust.

  1. SID filtering

    When you build a forest or domain, domain isolation is enabled by default, which is also known as SID filtering. When a user is authenticated in a trusted domain, the validation data presented by the user contains the SID of the group to which the user is a member, as well as the history SID of the user's own and the historical SID of the affiliation group.

    AD DS enables SID filtering by default, which is used to prevent users in trusted forests or domain administrator or enterprise administrator levels from being granted advanced permissions in the trusting domain with user accounts in their forest or domain. Simply put, if Forest1 and Forest2 are mutually trusting, a is a member of domain administrator or Enterprise administrator in Forest1, However, he cannot elevate other accounts in Forest1 or himself to domain administrator or other permissions in Forest2. SID filtering only allows the SID to be read from the objectSID property, which does not allow the SID to be read from the history SID, which prevents erroneous use of the history SID.

    In a trusted domain perspective, his administrator should be able to load the SID with the management certificate of the trusted domain, which is consistent with the SID in the user history SID attribute of the privileged account in your domain, and then the user can set an illegal access level to access resources in your domain. SID filtering prevents this security issue by filtering out non-primary SIDS of the security principals in the trusted domain (such as domain SIDs), each of which contains the domain SID for the originating domains, so that users of trusted domains can present a list of SID lists for users and a list of SIDS for user membership groups , SID filtering is filtered according to the domain SID, and all SIDs that do not contain trusted domains are discarded by the trusting domain. SID filtering is turned on by default for outgoing trusts for all external forests and domains.

  2. Selective validation

    When you create an external trust or forest trust, you can manage the authentication scope of the trusted security principal. There are two types of authentication modes for external trusts or forest trusts:

    A. Domain-wide validation (for external trusts) or forest-wide authentication (for forest trusts)

    B. Selective validation

    If you selected domain-wide or forest-wide validation, Then the services and computer access in the trusting domain authenticates the trusted user, so the trusted user is granted permission to access resources anywhere in the trusting domain. If you use this authentication mode, all users from trusted domains or forests will be considered authenticated users in the trusting domain, so if you choose domain-wide or forest-wide authentication, those resources that are authorized to access the Authenticated Users group, Users of trusted forests or domains also have immediate access.

    But if you use selective authentication, all users of the trusted domain are considered to be trusted identifiers, but they can only be verified by the services on the computer you specify, and when selective authentication is used, the user will not be the authenticated user in the target domain. However, you can explicitly grant the user permission to allow authentication on the specified computer.

    For example, if you and your business partner have an external trust, you just want members of the other company's marketing group to have access to the shared files on one of the file servers that you specified in your company. You can configure selective authentication for a trust relationship, and then grant the user of the trusted domain permission to authenticate only on that file server.

  3. Name suffix Routing

    Name suffix routing is a mechanism for managing how authentication requests are routed between forests that have trust relationships Windows2003 and later. To simplify the management of validation requests, AD DS routes all unique name suffixes by default when you create a forest trust. A unique name suffix is a name suffix in the forest that does not belong to any other name suffixes, such as the UPN suffix, spn suffix, or the name of a DNS forest or domain tree. For example, the unique name suffix in the contoso.com forest is its DNS forest name contoso.com.

    AD DS implicitly makes the path from all names that belong to a unique name suffix, for example, If your forest uses contoso.com as a unique name suffix, all authentication requests for Contoso.com subdomains are routed because the subdomain is actually part of the contoso.com name suffix. The name of the subdomain is displayed in the ad domain and the trust relationship plug-in, and if you want to make a subdomain in a particular forest an exception in authentication, you can disable the name suffix route for this subdomain name, and the routing of the Forest names themselves can be disabled.

Lab Environment:

LON-DC1 adatum.com Domain-controlled +dns IP 172.16.0.10

TREY-DC1 contoso.com domain-controlled +dns IP 10.10.0.10

LON-SVR1 adatum.com member Server IP 172.16.0.21


Experimental Purpose:

Configure the forest trust for selective authentication and verify the effect of the configuration



One, configure a stub zone for DNS name resolution on two DCS

Open DNS Manager on LON-DC1, and in the forward lookup zone, create a new stub zone contoso.com

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/54/2F/wKioL1R7w_Ki4QE6AANTmHtbKi4629.jpg "title=" QQ picture 20141201092404.jpg "alt=" Wkiol1r7w_ki4qe6aantmhtbki4629.jpg "/>

The adatum.com stub zone is then established in the DNS Manager on the TREY-DC1

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/54/30/wKiom1R7w_mjj4bEAANbzqAEpCk424.jpg "title=" QQ picture 20141201092636.jpg "alt=" Wkiom1r7w_mjj4beaanbzqaepck424.jpg "/>

Ii. Configuring a forest trust with selective authentication

On LON-DC1, open the active Directory domain and the trust relationship console, configure a one-way outgoing trust to the Contoso.com forest, and use selective validation in the configuration

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/54/2F/wKioL1R7xsewiR-DAAP64mo-RKQ603.jpg "title=" QQ picture 20141201093621.jpg "alt=" Wkiol1r7xsewir-daap64mo-rkq603.jpg "/>

We switch to TREY-DC1 to check whether the trust relationship is created (when you configure the trust relationship on LON-DC1, to choose to create trusts in this domain and the specified domain), open the domain and trust console on the TREY-DC1, Right-click on the Contoso.com select Properties and open the Trust tab, you can see that an inward trust relationship has been established, indicating that the trust relationship has been successfully established.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/54/31/wKiom1R7x5mTCAuAAAL_jqaWPso560.jpg "title=" QQ picture 20141201094207.jpg "alt=" Wkiom1r7x5mtcauaaal_jqawpso560.jpg "/>

Third, the LON-SVR1 configuration for selective validation

Open the active Directory users and Computers console on LON-DC1 and enable the advanced features view

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/54/30/wKioL1R7zYySH0_FAANXsIsZTSw032.jpg "title=" QQ picture 20141201100515.jpg "alt=" Wkiol1r7zyysh0_faanxsisztsw032.jpg "/>

Locate LON-SVR1, double-click it and open the Security tab, click the Add button, change the location in the pop-up window to contoso.com, then enter it in the fields below, check the name, and fill in the network credentials with Contoso's domain Administrator account and password in the popup.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/54/30/wKioL1R7zrXDxtO1AAXhX1npK54338.jpg "title=" QQ picture 20141201101012.jpg "alt=" Wkiol1r7zrxdxto1aaxhx1npk54338.jpg "/>

Check "Allow Authentication" in the permissions list of the IT group

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/54/32/wKiom1R7zyDjzBzRAAVPJxwfjwE646.jpg "title=" QQ picture 20141201101414.jpg "alt=" Wkiom1r7zydjzbzraavpjxwfjwe646.jpg "/>

We then log in to LON-SVR1, create an IT shared folder on the C drive, and grant Contoso\it read and write access

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/54/31/wKioL1R70TmBsZqiAAWSEckSD6g432.jpg "title=" QQ picture 20141201102054.jpg "alt=" Wkiol1r70tmbszqiaawsecksd6g432.jpg "/>

We used User1 in the IT group to sign in to TREY-DC1 (to test we joined the IT group and the sales group in the Contoso Domain Admins group, because AD prevented a regular user from logging on locally) to access the It folder on LON-SVR1. To verify that the trust and permissions we configured are in effect, and that the configuration is in effect after testing, we can use User1 to build documents in LON-SVR1 's it files.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/54/32/wKiom1R72T-ywoPqAAKuHnUSRjU396.jpg "title=" QQ picture 20141201105627.jpg "alt=" Wkiom1r72t-ywopqaakuhnusrju396.jpg "/>

We re-verify that if user2 in the sales group can establish a document in the It shared folder, you can see that User2 does not have access to the IT shared folder because he does not authenticate with the LON-SVR1 server.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/54/32/wKiom1R72jzgiyWGAASiSA7sxTU158.jpg "title=" QQ picture 20141201110136.jpg "alt=" wkiom1r72jzgiywgaasisa7sxtu158.jpg "/> Above is the experimental process of configuring the selective authentication of forest trusts.


This article is from the "Dry Sea Sponge" blog, please be sure to keep this source http://thefallenheaven.blog.51cto.com/450907/1584947

Windows Active Directory Family---Configure trust for AD Domain Services (2)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.