Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Active Directory Administration Cookbook

You're reading from   Active Directory Administration Cookbook Actionable, proven solutions to identity management and authentication on servers and in the cloud

Arrow left icon
Product type Paperback
Published in May 2019
Publisher Packt
ISBN-13 9781789806984
Length 620 pages
Edition 1st Edition
Languages
Arrow right icon
Author (1):
Arrow left icon
Sander Berkouwer Sander Berkouwer
Author Profile Icon Sander Berkouwer
Sander Berkouwer
Arrow right icon
View More author details
Toc

Table of Contents (16) Chapters Close

Preface 1. Optimizing Forests, Domains, and Trusts FREE CHAPTER 2. Managing Domain Controllers 3. Managing Active Directory Roles and Features 4. Managing Containers and Organizational Units 5. Managing Active Directory Sites and Troubleshooting Replication 6. Managing Active Directory Users 7. Managing Active Directory Groups 8. Managing Active Directory Computers 9. Getting the Most Out of Group Policy 10. Securing Active Directory 11. Managing Federation 12. Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and 3SO) 13. Handling Synchronization in a Hybrid World (Azure AD Connect) 14. Hardening Azure AD 15. Other Books You May Enjoy

Securing a trust

Trusts in Active Directory can be misused for purposes not intended by the admin of the trusting domain. There are three ways to secure a trust to make it more secure:

  • Enable SID Filtering
  • Enable Quarantine
  • Enable Selective Authentication

SID Filtering is enabled on all trust relationships, by default. SID Filtering operates on the same surface as trust transitivity. When enabled, SID Filtering filters the user accounts over the trust to user accounts from the domain tree that is explicitly trusted, only. In a way, it allows for more granular transitivity.

Quarantine is enabled on all trust relationships, by default. Quarantine for a trust allows granular access, too. Where SID Filtering allows for limiting access to a trusted domain tree, quarantine limits access to a trusted domain.

Selective authentication is not enabled, by default. Where SID Filtering and Quarantine limit access to user accounts from trusted domains, selective authentication limits access to devices, member servers and domain controllers in trusting domains. This means that in a default trust, all resources in the trusting domain can be accessed.

By default, Active Directory trusts are pretty secure, since the SID Filtering and Quarantine features are automatically enabled. You can heighten this default level of security by enabling and managing selective authentication.

Getting ready

To use the selective authentication feature, both Active Directory forests on either side of the trust need to run the Windows Server 2003 FFL, or a higher forest functional level.

It is recommended that you sign in to the domain controller that is running the Domain Naming Master FSMO role, or connect the Active Directory Domains and Trusts console to this specific domain controller, by right-clicking in the console on the Active Directory Domains and Trusts node and selecting Change Active Directory Domain Controller… from the context menu.

To find this domain controller, right-click the Active Directory Domains and Trusts node and select the Operations Master… from the context menu. Alternatively, run the following command from any domain-joined device, member server, or domain controller:

netdom.exe query fsmo

Otherwise, you can use the following PowerShell commands on a domain-joined system that has the Active Directory module for Windows PowerShell installed:

Import-Module ActiveDirectory

Get-ADForest | Format-List DomainNamingMaster

Required permissions

Sign in with the credentials of an admin account that is a member of the Enterprise Admins group.

How to do it...

SID Filtering and Quarantine on trusts can only be managed using netdom.exe:

  1. To enable SID Filtering for a trust, use the following command:
netdom.exe trust TrustingDomain.tld /Domain:TrustedDomain.tld /EnableSIDHistory:yes

Replace TrustingDomain.tld with the DNS domain name of the Active Directory environment that gives access to its resources, and then replace TrustedDomain.tld with the DNS domain name of the Active Directory environment that gains access to the resources.

  1. To disable SID Filtering for a trust, use the following command:

netdom.exe trust TrustingDomain.tld /Domain:TrustedDomain.tld /EnableSIDHistory:no

Replace TrustingDomain.tld with the DNS domain name of the Active Directory environment that gives access to its resources, and then replace TrustedDomain.tld with the DNS domain name of the Active Directory environment that gains access to the resources.

  1. To enable Quarantine on a trust, use the following command:

netdom.exe trust TrustingDomain.tld /Domain:TrustedDomain.tld /Quarantine:yes

Replace TrustingDomain.tld with the DNS domain name of the Active Directory environment that gives access to its resources, and then replace TrustedDomain.tld with the DNS domain name of the Active Directory environment that gains access to the resources.

  1. To disable Quarantine on a trust, use the following command:

netdom.exe trust TrustingDomain.tld /Domain:TrustedDomain.tld /Quarantine:no

Replace TrustingDomain.tld with the DNS domain name of the Active Directory environment that gives access to its resources, and then replace TrustedDomain.tld with the DNS domain name of the Active Directory environment that gains access to the resources.

To manage Selective Authentication, we can use the graphical user interface (GUI). To do so, follow these steps:

  1. Open Active Directory Domains and Trusts.
  2. In the console tree, right-click the domain that you want to configure selective authentication for, and then click Properties.
  3. Navigate to the Trusts tab.
  4. From the list of Domains trusts by this domain (outgoing trusts): or from the list of Domains that trust this domain (incoming trusts):, select the trust that you want to configure selective authentication for.
  5. Click the Properties button next to the corresponding list.
  1. Navigate to the Authentication tab as follows:
  1. On the Authentication tab, select or deselect Selective Authentication.
  2. Click OK to finish.

Of course, selective authentication for trusts is also available on the command line.

To enable selective authentication for a trust, use the following command:

netdom.exe trust TrustingDomain.tld /Domain:TrustedDomain.tld /SelectiveAuth:yes

Replace TrustingDomain.tld with the DNS domain name of the Active Directory environment that gives access to its resources, and then replace TrustedDomain.tld with the DNS domain name of the Active Directory environment that gains access to the resources.

To disable selective authentication for a trust, use the following command:

netdom.exe trust TrustingDomain.tld /Domain:TrustedDomain.tld / SelectiveAuth:no

Replace TrustingDomain.tld with the DNS domain name of the Active Directory environment that gives access to its resources, and then replace TrustedDomain.tld with the DNS domain name of the Active Directory environment that gains access to the resources.

Now, the actual domain-joined resources, which a user from another domain or forest has access to, is governed per object. Follow these steps to manage this setting:

  1. Open the Active Directory Administrative Center.
  2. Search for the domain-joined device, member server, or domain controller that you want to grant access to over the trust. Use the search box in the Global Search field on the Overview screen of the Active Directory Administrative Center, or use the left navigation pane.
  3. Right-click the object and select Properties from the context menu.
  4. In the left navigation pane of the object's properties, click Extensions.
  5. Click the Security tab.
  1. Select the user object(s) and/or group(s) that you want to grant access to, wielding the Add and Remove buttons underneath the field for Groups and user names:
  1. Select the Allow checkbox that is next to the Allowed to Authenticate permission.
  2. Click OK when you're done.

How it works...

Selective authentication leverages the Allowed to Authenticate option to give permission to allow or disallow requests coming from user accounts over the trust, because they are automatically added to the Authenticated Users group. When selective authentication is disabled (the default), every user account on the other side is allowed to authenticate. However, after selective authentication is enabled, only the user accounts with the Allowed to Authenticate permission explicitly set can authenticate to it over the trust, because they are not automatically added to the Authenticated Users group.

There's more...

To make managing the Active Directory trust possible for a trust that has selective authentication enabled, make sure that admins on both sides have the Allowed to Authenticate permission on each other's domain controllers. You can specify specific domain controllers only by fiddling with the DNS SRV records for domain controllers. However, make sure that you always include the domain controller holding the PDCe FSMO role, and at least one global catalog.

You have been reading a chapter from
Active Directory Administration Cookbook
Published in: May 2019
Publisher: Packt
ISBN-13: 9781789806984
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image