Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

Trust Types

Intra-forest trusts describe trust relationships that exist between computers in the same forest. Inter-forest trusts describe trust relationships that exist between domains in two different forests. Appropriate management of authentication and resources is dependent on knowledge of trust types. Three types of intra-forest trusts exist automatically because of computer memberships in domains:

Two-way, transitive Kerberos-style trust between all domains in the forest. These trusts are established when a Windows 2000 or Windows Server 2003 domain is added to the forest.

Trust between all domain controllers in a domain. These trusts are established when a Windows 2000 or Windows Server 2003 computer is promoted to DC in a domain. A unique primary domain controller (PDC)/backup domain controller (BDC) is established when a Windows NT 4.0 server is installed as a BDC. Only one PDC can exist in a Windows NT 4.0 domain.

Trust between a member computer and a Windows DC. This trust relationship is formed by joining a Windows Server 2003, Windows 2000, Windows XP, or Windows NT 4.0 computer to a Windows Server 2003, Windows 2000, or Windows NT 4.0 domain.

These trust relationships are formed automatically when some activity is completed. A fourth kind of intra-forest trust, the shortcut trust, can be created between two domains in the same forest and is explained in the section "Shortcut Trusts." A trust console or special command can be used to manually create intra-forest trust relationships. To complete the trust, an administrative account in each forest and a special unique trust password are necessary. A unique trust password is created and used to establish each new trust. Inter-forest trust types are as follows:

Kerberos two-way, transitive trusts between domains in a Windows 2000 or Windows Server 2003 forest

Windows NT 4.0 one-way, non-transitive trusts

External trusts between a domain in one forest and a Windows Server 2003, Windows 2000, or Windows NT 4.0 domain

External trusts with non-Windows Kerberos realms

Trusts between two Windows Server 2003 foreststhe forest trust

Inter-Domain Kerberos Trusts

The Kerberos trust relationship formed between domains in the same forest is transitive and two-way. Transitive trust means trust relationships exist between all domains in the forest. Figure 8-1 shows a simple example. In the figure, Domain A trusts Domain B, and Domain B trusts Domain C. This implies that Domain A trusts Domain C. Two-way trust means that because Domain A trusts Domain B, Domain B trusts Domain A. To get the same result with Windows NT 4.0 domains, multiple trust relationships would need to be created individually. In fact, if n represents the number of domains that need this complete transitive two-way trust, n²1 trust relationships will have to be created.

Furthermore, in Windows 2000 and Windows Server 2003 domains, these Kerberos trust relationships are automatically created when a new DC is created. It is not necessary to create trust relationships between domains in the forest. During dcpromo, a new domain controller establishes a new domain in an existing forest, joins an existing domain, or creates a new domain and a new forest. When a Windows 2000 or Windows Server 2003 server is promoted to become a domain controller, the following trust relationships may be established:

If it does not become part of an existing forest, then a single-domain new forest is created; no trust relationship with other domains is established.

If it joins an existing forest and a new domain is created, trust is Kerberos-style transitive trust between the new domain and every other domain in the forest.

If it is with an existing forest, it may become another domain controller in an existing forest; it becomes part of the trust relationships already established for that domain.

Shortcut Trusts

Shortcut trusts are one-way trusts that can be administratively created between two domains in the same forest. Because all domains in the forest already trust every other domain in the forest, the shortcut trust needs only to be created when it might expedite some authorization processing. In Chapter 3, "Authorization: Limiting System Access and Controlling User Behavior," the process of obtaining authorization to access resources in a domain other than the domain in which a user's account exists was described. Figure 8-2 illustrates the process. In the figure, solid lines indicate that all domains are in the same forest. Also DNS-style names are not included for simplicity; instead, the domains are simply numbered. John, who has an account in domain 8, has been given permission to access files in domain 12. The arrows show the trust path his request for a session ticket must follow. In a large forest, this process can delay his access, or even prevent it, if a domain controller for one of the domains on the trust path cannot be located.

If there is a need for frequent access between specific domains in a forest, a shortcut trust can be created between the two domains. In Figure 8-3, a shortcut trust has been created between domains 8 and 12. In the figure, the solid arrow indicates the direction of the trust. When John needs to access the files in domain 12, the authorization process is simplified. Instead of many domains, only one other domain, domain 12, needs to be contacted.

Shortcut trusts are one-way and are not transitive. By one-way, we mean trust only extends in one direction. In Benefits of Forest Trust" later in this chapter.

Windows NT 4.0 Trusts

Trusts formed with Windows NT 4.0 domains are nontransitive and one-way. Although the concept of forest is foreign to a discussion of Windows NT 4.0, you can think of the Windows NT 4.0 domain as if it is logically a single domain foresta forest to which no other domains can be added. If trust is necessary between two Windows NT 4.0 domains, or between a Windows NT 4.0 domain and a Windows 2000 or Windows Server 2003 domain, then the trust relationship between them must be created as one-way. A second trust in the opposite direction can be created between the two domains to simulate a two-way trust. Figure 8-4 illustrates a one-way trust between a Windows Server 2003 domain and a Windows NT 4.0 domain. Note the trust direction (solid arrows) the trust path is in the opposite direction. Trust arrows point from the trusting domain to the trusted domain. A popular mnemonic device for Microsoft trainers is the expression "The arrowHEAD points at the trustED."

External Trusts with Windows 2000 or Windows Server 2003 Domains

When a trust relationship is desired with Windows domains in another forest, an external trust relationship may be created. It is important to understand that this trust relationship only exists between the external domain (a single domain in another forest) and the single domain within the local forest. There is no trust relationship between the external domain and the other domains in the local Windows Server 2003 or Windows 2000 forest, nor is there a relationship between the local domain and any other domains in the external forest. Like the shortcut trust and the Windows NT 4.0 trust, the external trust is nontransitive and one-way. A second one-way trust in the other direction may be created between the two domains. Figure 8-5 illustrates an external trust. Note that in these figures, domains are symbolically identified by using numbers and letters instead of the domain DNS names. In the real world, each domain must be named correctly. One forest has its domains numbered; in the other, letters of the alphabet are used. Domain 3 has a trust relationship with Domain B. Users in Domain 3 can be granted access to Domain B. For them to be given access to other domains, new external trust relationships must be created.

Trusts with Non-Windows Kerberos Realms

Windows 2000 and Windows Server 2003 use Kerberos as their primary form of authentication. It is also possible to create a trust relationship with a Kerberos V realm. A realm is logically similar to a Windows domain. Kerberos software is available for many other types of operating systems. A Kerberos realm is often implemented in Unix, and it is this type of Kerberos system for which utilities and instructions are available if the benefits of Kerberos and cross-realm trust are desired.

Creating trust relationships with Unix-based Kerberos realms is described in "Step-by-Step Guide to Kerberos (krb5 1.0) Interoper ability" at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/howto/kerbstep.asp. Instructions for creating a realm trust between Windows Server 2003 and a non-Windows realm are found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/entserver/domadmin_createRealmTrust.asp.

A realm trust can be one- or two-way and transitive or nontransitive, depending on how it is implemented and what the capabilities of the realm are.

Forest Trusts

A forest trust is a trust relationship in which every domain in each forest trusts every domain in every other forest. This is new to Windows Server 2003. It is not possible to have a forest trust between two Windows 2000 domains. Two one-way trusts can be created between each domain in each of the forests to provide access across all boundaries; however, this requires the creation of multiple trusts, which will always be NTLM-style trusts. Windows Server 2003 forest trusts are the result of creating a single trust relationship between two forests. These trusts are Kerberos-style, transitive two-way truststhat is, trust exists between every domain in each forest.