Active Directory Forest Trust Vulnerability

Forests are the top-level containers in the AD logical hierarchy. Microsoft considers each forest to be a security boundary for all contained objects. Administrators from outside a forest should only be able to control access to information within the forest if they gain permission from the forest's own administrators.

The researchers have found that the default configuration can be exploited if an attacker compromises any single server with unconstrained delegation, such as a domain controller. If there are any two-way forest trust relationships, the attacker can then coerce similar servers in other forests to authenticate to the attacker-controlled server by exploiting a known vulnerability in the Windows Print System Remote Protocol (MS-RPRN). This can be leveraged to compromise all domains within the other forests.

At the time of publication, Microsoft has indicated that it will not be releasing any security updates to address this vulnerability. The issue may be resolved in a future version of Windows.

There are several suggested steps that can be taken to mitigate the vulnerability:

• Disable Kerberos full delegation across inter-forest trusts.
• Enable the selective authentication setting across inter-forest trusts. An attack may still succeed however if (as is often the case) domain controllers are granted the 'allowed to authenticate' right on foreign domain controllers.
• Consider removing the trusts altogether.
• Disable the Spooler service on domain controllers, and other servers with un