Introduction to Domain and Forest Trusts

By using Windows Server 2003 domain and forest trusts, service administrators can create or extend collaborative relationships between two or more domains or forests. Windows Server 2003 domains and forests can also trust Kerberos realms and other Windows Server 2003 forests, as well as Microsoft Windows® 2000 domains and Windows NT® 4.0 domains.

When a trust exists between two domains, the authentication mechanisms for each domain trust the authentications coming from the other domain. Trusts help to provide controlled access to shared resources in a resource domain (the trusting domain) by verifying that incoming authentication requests come from a trusted authority (the trusted domain). In this way, trusts act as bridges that allow only validated authentication requests to travel between domains.

How a specific trust passes authentication requests depends on how it is configured. Trust relationships can be one-way, providing access from the trusted domain to resources in the trusting domain, or two-way, providing access from each domain to resources in the other domain. Trusts are also either nontransitive, in which case a trust exists only between the two trust partner domains, or transitive, in which case a trust automatically extends to any other domains that either of the partners trusts.

In some cases, trust relationships are established automatically when domains are created; in other cases, administrators must choose a type of trust and explicitly establish the appropriate relationships. The specific types of trusts that are used and the structure of the resulting trust relationships in a given trust implementation depend on such factors as how Active Directory is organized and whether different versions of Windows coexist on the network.

Do you want to become Real MCSE, CCNA or CCNP certified?
Do you want to Payless for certification?
Do you want to finish in 2/3 weeks?

Click here to continue :

MCSA : MCSE : MCSE + Security : CCNA : CCNP : Bootcamp : MCSE training : Vibrant MCSE : Vibrant CCNA : Vibrant CCNP : camp : MCITP Boot Camp : CCNA MCITP Boot Camp : CCNA MCSE Boot Camp : MCITP MCSE Boot Camp : MCSE MCITP CCNA Boot Camp : Upgrade MCITP Boot Camp : Upgrade to MCITP CCNA Boot Camp : :: Home : links : Resources : Ref1 : Ref2

Exam 70-270 MCSE Practice Exams :

MCSE Guide

Free MCSE
Free MCSE Training
MCSE
MCSE 2003
MCSE Books
MCSE Boot Camp
MCSE Brain dumps
MCSE Certification
MCSE Exam
MCSE Free
MCSE Jobs
MCSE Logo
MCSE Online
MCSE Online Training
MCSE Practice
MCSE Practice Exams
MCSE Practice Tests
MCSE Requirements
MCSE Resume
MCSE Salary
MCSE Self Paced Training Kit
MCSE Study
MCSE Study Guide
MCSE Study Guides
MCSE Test
MCSE Testing
MCSE Training
MCSE Training Kit
MCSE Training Video
MCSE Windows 2003
Microsoft MCSE Training
Training MCSE
Windows 2003 MCSE

MCSE 2003

MCSE Books

MCSE Boot Camp

MCSE Brain dumps

MCSE Certification

MCSE Exam

MCSE Free

MCSE Jobs

MCSE Logo

MCSE Online

MCSE Online Training

MCSE Practice

MCSE Practice Exams

MCSE Practice Tests

MCSE Requirements

MCSE Resume

MCSE Salary

MCSE Self Paced Training Kit

MCSE Study

MCSE Study Guide

MCSE Study Guides

MCSE Test

MCSE Testing

MCSE Training

MCSE Training Kit

MCSE Training Video

MCSE Windows 2003

Microsoft MCSE Training

Training MCSE

Windows 2003 MCSE

MCSE Camp

Anonymous LDAP operations in Windows 2003 AD?

Background

By default, anonymous LDAP operations, except rootDSE searches and binds, are not permitted on Windows 2003 domain controllers. This means that when trying to perform unauthenticated search in Active Directory, you can query for attributes of the RootDSE object only – any other query will result in domain controller requesting authenticated bind to LDAP and refusing to your query.

Actually this is new behavior compared to Windows 2000 domain controllers which allowed anonymous operations and the query results were based only on the permissions of the objects.

"So what is it good for?" you might ask yourself. Well, one of the reasons is minimizing the impact of potential denial of service (DoS) attacks against AD. Consider a malicious application performing an anonymous LDAP query against domain controller. Theoretically, by crafting a very complicated LDAP filter with a "Sub" scope, an attacker could overload the LDAP server which would result in significant degradation in domain controller performance and even total denial of service.

Why you might want to enable anonymous binds? Usually this is desired when you need to provide an easy access to a subset of information stored in AD to 3rd party applications that are not capable of authenticating to AD or the information is intended to be in public domain from the beginning and you are storing it in AD. The scenarios are infinite, but before enabling anonymous operations make sure that you truly understand the implications of this action – the change (though reversible) does increase the security risks to your environment.

Let's have a look at what are we allowed to see when we are trying to perform an anonymous lookup against W2K3 domain controller.

The query below is performed from a Linux machine just to eliminate the query tools attempts on Windows to perform GSSAPI authentication in the background.

Just to decipher the syntax above:

-h descartes.antid0t.net

perform the query against host descartes.antid0t.net

-b ''

Use RootDSE as the search base

-x

Use simple bind

-LLL

Print responses in LDIF format without comments and version

-s base

Do base search (as opposed to subtree or onelevel)

'objectClass=*'

LDAP filter which basically means: return anything you find

Not much, right? Just enough to be able to negotiate the correct authentication dialect, learn about LDAP protocol versions supported, enumerate the partitions and acquire some more details about the LDAP semantics supported by the server.

Notice that I had to use "base" scope query. Trying to perform "Subtree" or "OneLevel" query would yield the DC requiring authenticated bind:

Enabling anonymous LDAP operations

Launch ADSI Edit (part of support tools) and navigate to:

CN=Directory Service,CN=Windows NT,CN=Services, <ForestRoot>

Where <forestRoot> is the root domain of your forest (in my case this is DC=antid0t,DC=net)

Right click the "CN=Directory Services" container, choose "Properties" from the context menu and scroll down to the dsHeuristics attribute

If the attribute is not set (has no value), fill in "0000002" in the value field.
The last (seventh) character is the one that controls the way you can bind to LDAP service. "0" or no seventh character means that anonymous LDAP operations are disabled. Setting the seventh character to "2" permits anonymous operations (you are still subject to Access Control Lists of the objects in AD)

Warning: if the attribute already contains a value, make sure you are changing only the seventh character from the left – this is the only character that needs to be changed in order to enable anonymous binds. So for example if the current value is "0010000", you will need to change it to "0010002".

If the current value is less than 7 characters, you will need to put zeros in the places not used: "001" will become "0010002"

Make yourself a cup of coffee and wait till the change is replicated to all you DCs in the forest. The new value will be picked up without any need for server reboots or service restarts. Meanwhile you can get a bit more details about the process from MS KB article 326690.

Let's test it:

As you can see, now we are allowed a little more: we are allowed to perform "Sub" queries against all the AD partitions. Though this step allows unauthenticated operations against AD, only a very small subset of attributes are being exposed. The step can be compared to opening the lobby door of an apartment building – you can travel around, but all the doors to the apartments are closed.