Trusts in Active Directory can be misused for purposes not intended by the admin of the trusting domain. There are three ways to secure a trust to make it more secure:

• Enable SID Filtering
• Enable Quarantine
• Enable Selective Authentication

SID Filtering is enabled on all trust relationships, by default. SID Filtering operates on the same surface as trust transitivity. When enabled, SID Filtering filters the user accounts over the trust to user accounts from the domain tree that is explicitly trusted, only. In a way, it allows for more granular transitivity.

Quarantine is enabled on all trust relationships, by default. Quarantine for a trust allows granular access, too. Where SID Filtering allows for limiting access to a trusted domain tree, quarantine limits access to a trusted domain.

Selective authentication is not enabled, by default. Where SID Filtering and Quarantine limit access to user accounts from trusted domains, selective authentication limits access to devices, member servers and domain controllers in trusting domains. This means that in a default trust, all resources in the trusting domain can be accessed.

By default, Active Directory trusts are pretty secure, since the SID Filtering and Quarantine features are automatically enabled. You can heighten this default level of security by enabling and managing selective authentication.

To use the selective authentication feature, both Active Directory forests on either side of the trust need to run the Windows Server 2003 FFL, or a higher forest functional level.

It is recommended that you sign in to the domain controller that is running the Domain Naming Master FSMO role, or connect the Active Directory Domains and Trusts console to this specific domain controller, by right-clicking in the console on the Active Directory Domains and Trusts node and selecting Change Active Directory Domain Controller… from the context menu.

To find this domain controller, right-click the Active Directory Domains and Trusts node and select the Operations Master… from the context menu. Alternatively, run the following command from any domain-joined device, member server, or domain controller:

netdom.exe query fsmo

Otherwise, you can use the following PowerShell commands on a domain-joined system that has the Active Directory module for Windows PowerShell installed:

Import-Module ActiveDirectory

Get-ADForest | Format-List DomainNamingMaster

Sign in with the credentials of an admin account that is a member of the Enterprise Admins group.

SID Filtering and Quarantine on trusts can only be managed using netdom.exe:

1. To enable SID Filtering for a trust, use the following command:

netdom.exe trust TrustingDomain.tld /Domain:TrustedDomain.tld /EnableSIDHistory:yes

Replace TrustingDomain.tld with the DNS domain name of the Active Directory environment that gives access to its resources, and then replace TrustedDomain.tld with the DNS domain name of the Active Directory environment that gains access to the resources.

2. To disable SID Filtering for a trust, use the following command:

netdom.exe trust TrustingDomain.tld /Domain:TrustedDomain.tld /EnableSIDHistory:no

Replace TrustingDomain.tld with the DNS domain name of the Active Directory environment that gives access to its resources, and then replace TrustedDomain.tld with the DNS domain name of the Active Directory environment that gains access to the resources.

3. To enable Quarantine on a trust, use the following command:

netdom.exe trust TrustingDomain.tld /Domain:TrustedDomain.tld /Quarantine:yes

Replace TrustingDomain.tld with the DNS domain name of the Active Directory environment that gives access to its resources, and then replace TrustedDomain.tld with the DNS domain name of the Active Directory environment that gains access to the resources.

4. To disable Quarantine on a trust, use the following command:

netdom.exe trust TrustingDomain.tld /Domain:TrustedDomain.tld /Quarantine:no

Replace TrustingDomain.tld with the DNS domain name of the Active Directory environment that gives access to its resources, and then replace TrustedDomain.tld with the DNS domain name of the Active Directory environment that gains access to the resources.

To manage Selective Authentication, we can use the graphical user interface (GUI). To do so, follow these steps:

1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click the domain that you want to configure selective authentication for, and then click Properties.
3. Navigate to the Trusts tab.
4. From the list of Domains trusts by this domain (outgoing trusts): or from the list of Domains that trust this domain (incoming trusts):, select the trust that you want to configure selective authentication for.
5. Click the Properties button next to the corresponding list.

6. Navigate to the Authentication tab as follows:

7. On the Authentication tab, select or deselect Selective Authentication.
8. Click OK to finish.

Of course, selective authentication for trusts is also available on the command line.

To enable selective authentication for a trust, use the following command:

netdom.exe trust TrustingDomain.tld /Domain:TrustedDomain.tld /SelectiveAuth:yes

Replace TrustingDomain.tld with the DNS domain name of the Active Directory environment that gives access to its resources, and then replace TrustedDomain.tld with the DNS domain name of the Active Directory environment that gains access to the resources.

To disable selective authentication for a trust, use the following command:

netdom.exe trust TrustingDomain.tld /Domain:TrustedDomain.tld / SelectiveAuth:no

Replace TrustingDomain.tld with the DNS domain name of the Active Directory environment that gives access to its resources, and then replace TrustedDomain.tld with the DNS domain name of the Active Directory environment that gains access to the resources.

Now, the actual domain-joined resources, which a user from another domain or forest has access to, is governed per object. Follow these steps to manage this setting:

1. Open the Active Directory Administrative Center.
2. Search for the domain-joined device, member server, or domain controller that you want to grant access to over the trust. Use the search box in the Global Search field on the Overview screen of the Active Directory Administrative Center, or use the left navigation pane.
3. Right-click the object and select Properties from the context menu.
4. In the left navigation pane of the object's properties, click Extensions.
5. Click the Security tab.

6. Select the user object(s) and/or group(s) that you want to grant access to, wielding the Add… and Remove buttons underneath the field for Groups and user names:

7. Select the Allow checkbox that is next to the Allowed to Authenticate permission.
8. Click OK when you're done.

Selective authentication leverages the Allowed to Authenticate option to give permission to allow or disallow requests coming from user accounts over the trust, because they are automatically added to the Authenticated Users group. When selective authentication is disabled (the default), every user account on the other side is allowed to authenticate. However, after selective authentication is enabled, only the user accounts with the Allowed to Authenticate permission explicitly set can authenticate to it over the trust, because they are not automatically added to the Authenticated Users group.

To make managing the Active Directory trust possible for a trust that has selective authentication enabled, make sure that admins on both sides have the Allowed to Authenticate permission on each other's domain controllers. You can specify specific domain controllers only by fiddling with the DNS SRV records for domain controllers. However, make sure that you always include the domain controller holding the PDCe FSMO role, and at least one global catalog.