Security issues w/ one-way forest trust and kerberos delegation
Re: http://www.dscoduc.com/2009/11/kerberos-delegation-across-a-trust/
Yuck! Your Active Directory one-way forest trusts are really one-and-a-half-way or two-way trusts.
Scenario: You enable a one-way forest trust from a development forest or resource-containing-forest into the forest where you have the user accounts for your enterprise. It's very convenient, and it sounds secure - after all, you are not trusting these other forests for authentication - they're supposed to trust authentication in your forest, but you don't trust authentication of accounts in the trusting domains. What could go wrong?
Enter 'trusted for delegation'. It turns out that an administrator the trusting forest can configure accounts/computers with the 'trusted for delegation' flag, and applications running under this security context can turn around and impersonate users from the trusted forest - *even to resources in the trusted forest!*. So an administrator in the trusting forest effectively has carte-blanche to any Kerberos-secured assets of any poor sap unfortunate enough to interact with a service in the trusting forest.
Basically, you can't really count on the 'unidirectional' nature of the trust. You can protect your administrator accounts with the 'account is sensitive and cannot be delegated' UAC flag, but unless you're ready to deny the joys of Kerberos delegation to the bulk of your users, you really need to assure the same level of security controls in trusting forests as you do in your trusted forest or you're creating substantial risks of inappropriate access/modification of your users' information assets.
If you're not convinced, try it out in your lab. It's very easy (and demoralizing) to demonstrate the scenario.
Posted at 03:39PM Dec 09, 2009 by raydoo in Software | Comments[0]