This article guides professionals on how to configure a controlled interface for interconnections among information systems operating between systems or networks for an Active Directory Domain.
Implementing this control should be considered at a minimum as high importance.
PS. G5 Cyber Security can scan your entire network for security vulnerabilities, guide you to resolve them, and more. Please contact us here to get started.
How to implement this security control
Obtain management approval and document external, forest, or realm trust relationship or obtain documentation of the network connection approval and explicit trust approval.
How to verify this security control is implemented
- Refer to the list of identified trust already compiled.
- Review the local documentation approving the external network connection and documentation indicating explicit approval of the trust by management.
- The external network connection documentation is maintained by the IAO\NSO for compliance with the Network Infrastructure STIG.
- If any trust is defined and there is no documentation indicating approval of the external network connection and explicit management approval of the trust, then this is an issue.
Why you should implement this security control
The configuration of an AD trust relationship is one of the steps used to allow users in one domain to access resources in another domain, forest, or Kerberos realm.
When a trust is defined between organizations, the security posture of the two organizations might be significantly different. If one organization maintained a less secure environment and that environment were compromised, the presence of the AD trust might allow the more secure environment to be compromised also.