Active Directory Trust Misclassification: Why Old Trusts Look Like Insecure External Trusts

Source: Tenable Blog

Author: Clément Notin

URL: https://www.tenable.com/blog/active-directory-trust-misclassification-why-old-trusts-look-like-insecure-external-trusts

ONE SENTENCE SUMMARY:

Tenable Research discovered Windows 2000 intra-forest trusts missing a key flag, impacting trust identification across upgraded Active Directory environments.

MAIN POINTS:

1. Active Directory trusts originating from Windows 2000 may lack proper identification as intra-forest trusts.
2. The TRUST_ATTRIBUTE_WITHIN_FOREST flag, introduced in Windows 2003, was not retroactively applied.
3. Upgraded domains maintain zero trust attributes, misidentifying internal trusts as potentially insecure external ones.
4. CrossRef objects can accurately determine if a trust is intra-forest or external.
5. External trusts lack a dedicated flag, often appearing as trustAttributes=0.
6. AD administrative tools may still identify correct trust types despite missing flags.
7. Tenable conducted lab tests confirming the persistence of the legacy issue.
8. The issue affects security-analysis tools by confusing internal and external trusts.
9. New interpretation methods have been validated in real-world environments.
10. Tenable’s discovery aims to improve trust management in legacy AD environments.

TAKEAWAYS:

1. Windows 2000 intra-forest trusts may be misidentified due to absent flags.
2. CrossRef objects offer a solution for identifying trust types.
3. Upgrades do not resolve missing trust flags in older domains.
4. Accurate trust interpretation is vital for exposure management tools.
5. Awareness of this issue aids security professionals in managing legacy AD environments.