UCF STIG Viewer Logo

Each cross-directory authentication configuration must be documented.


Finding ID Version Rule ID IA Controls Severity
V-8530 DS00.1120_AD SV-30989r2_rule DCID-1 Low
AD external, forest, and realm trust configurations are designed to extend resource access to a wider range of users (those in other directories). If specific baseline documentation of authorized AD external, forest, and realm trust configurations is not maintained, it is impossible to determine if the configurations are consistent with the intended security policy.
Active Directory Domain Security Technical Implementation Guide (STIG) 2014-12-18


Check Text ( C-14110r1_chk )
1. Start the Active Directory Domains and Trusts console (Start, Run, “domain.msc”).

2. Select the left pane item that matches the name of the domain being reviewed.

3. Right-click the domain name and select the Properties item.

4. On the domain object Properties window, select the Trusts tab.

5. For each outbound and inbound external, forest, and realm trust, record the name of the other party (domain name), the trust type, transitivity, and the trust direction. (Keep this trust information for use in subsequent checks.)

6. Compare the list of actual trusts identified with the list in local documentation maintained by the IAO. For each trust, the documentation must contain type (external, forest, or realm), name of the other party, MAC and classification level of the other party, trust direction (inbound and\or outbound), transitivity, status of the Selective Authentication option, and status of the SID filtering option.

7. If an identified trust is not listed in the documentation or if any of the required items are not documented, then this is a finding.
Fix Text (F-15017r1_fix)
Develop documentation for each AD external, forest, and realm trust configuration. At a minimum this must include:
a. Type (external, forest, or realm).
b. Name of the other party.
c. MAC, confidentiality, and classification level of the other party.
d. Trust direction (inbound and\or outbound).
e. Transitivity.
f. Status of the Selective Authentication option.
g. Status of the SID filtering option.