Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)
Chapter 2 introduced Windows security authorities and security principals. In this chapter we will look at how we can establish security relationships between Windows domain security authorities using trust relationships.
3.1 Defining trust relationships
Trust relationships define an administrative and security link between two Windows domains or forests. They enable a user to access resources that are located in a domain or forest that is different from the user’s definition domain or forest. The creation of a trust between domains or forests does not automatically grant users access to resources in the trusting domains or forests: The domain or forest administrator still has to assign access rights to the users for the appropriate resources.
In the context of a Windows domain or forest, a trust basically means that one domain trusts the authentication authorities of another domain, or, in other words, it creates cross-domain visibility and usability of security principals. When security authority A has authenticated a user, Joe, and security authority B trusts security authority A (as illustrated in Figure 3.1), B will not start another authentication process in order to verify user Joe’s identity. In Windows domain speak, the fact that a domain controller (DC) in domain A has authenticated user Joe and the existence of a trust between domains A and B are enough for the DCs in domain B to trust user Joe’s identity.
When a trust relationship is set up between two domains, there is always a trusted and a trusting domain. The trusting domain is the one that initiates the setup of a trust relationship. The trusted domain is the subject of the trust definition. If the domain compaq.com sets up a trust with the digital.com domain (as illustrated in Figure 3.2)—in which case digital.com is the trusted domain and compaq.com is the trusting domain—all accounts defined in digital.com will be trusted. This means that all digital.com accounts can be used to set access control settings on resources in the compaq.com domain. The opposite is not true, unless another trust is defined going from digital.com to compaq.com—in that case compaq.com is the trusted domain and digital.com the trusting domain. The latter case is referred to as a two-way trust relationship. The former case is referred to as a one-way trust relationship.
In Windows Server 2003, trust relationships can be created automatically or manually:
-
Windows Server 2003 trust relationships are created automatically as part of the “dcpromo” process. The dcpromo process builds an AD instance on a Windows server, or, in other words, it makes a server a domain controller.
-
To create a trust manually, use the Active Directory Domains and Trusts MMC snap-in. During manual trust setup you will be prompted to enter a “trust password.” When trusts are created automatically, this “trust password” is generated and exchanged without administrator intervention.
You cannot create a trust relationship if the NETBIOS domain name of the two domains are identical. In the example of Figure 3.2, the NETBIOS name of the trusting domain is compaq, the NETBIOS name of the trusted domain is digital. If both the trusted and trusting domain had a NETBIOS name “root” creating a trust between the two would fail.
In the following sections we will discuss the Windows Server 2003 trust properties and types and how trust relationships work behind the scenes. We will pay special attention to a brand-new Windows Server 2003 trust type: cross-forest trust.
Категории