๐ Secure Bits ๐ก
๐๐ผ ๐๐ผ๐ ๐๐๐ฒ ๐ง๐ฟ๐๐๐๐ ๐ถ๐ป ๐๐ฐ๐๐ถ๐๐ฒ ๐๐ถ๐ฟ๐ฒ๐ฐ๐๐ผ๐ฟ๐?
There is no such thing as a security boundary between trusted domains.
Once you trust another AD, their problems become your problems.
One compromise can cascade across environmentsโno matter the trust direction.
โ ๏ธ ๐๐ฎ๐ป ๐๐ผ๐ ๐ฟ๐ฒ๐ฎ๐น๐น๐ ๐๐ผ๐๐ฐ๐ต ๐ณ๐ผ๐ฟ ๐๐ต๐ฒ๐ถ๐ฟ ๐๐ฒ๐ฐ๐๐ฟ๐ถ๐๐?
I generally donโt recommend using trustsโ
โฆbut in the real world, business needs often override security advice.
If you must use them, ๐บ๐ฎ๐ธ๐ฒ ๐๐๐ฟ๐ฒ ๐๐ผ๐ ๐ฑ๐ผ ๐ถ๐ ๐ฟ๐ถ๐ด๐ต๐:
โ
Use the right type of trust โ aim for smaller exposure (Forest vs External)
โ
Enable Selective Authentication โ Limit who can authenticate where across the trust.
โ
Force Kerberos AES โ Avoid falling back to weaker methods.
โ
Check SID Filtering โ Itโs often disabled from past migrations and never re-enabled.
๐งช Scan with Get-ADTrust/nltest + netdom or use my transparent PowerShell tool โ ADProbe โ to simplify the check. https://horizon-secured.com/tools/
๐ซ And noโchild domains are not a security boundary – I see this too often.
Anyone from a child can become Enterprise Admin with enough access. If youโre doing it for separation, consider OUs and delegation instead.
Do you use AD trusts in your environment? Whatโs your use case?
