asked on
Preventing AD child domains from establishing outside trust
We have a root Windows 2003 domain and 9 child domains. As I understand it, trust can only be established at domain level. Management is concerned that some admin of a child domain may establish trust with an outside Windows domain and give access to company data. Is it possible to prevent this? If not, what is the most efficient way to monitor this? Thanks.
Active DirectoryWindows OS
Last Comment
Chris Dent
Here we go, a simple start. It lists all trusts within a forest and tells you about them (including the path, which indicates the domain it resides in).
Would you like it to notify? If so, how? Or do you have a monitoring system that can take care of that aspect?
Basically you just need it to monitor the output of the script for changes (perhaps by comparison with a list of allowed trusts).
Chris
Const ADS_SCOPE_SUBTREE = 2
' Trust Type - http://msdn.microsoft.com/en-us/library/cc223771(PROT.10).aspx
Dim objTrustTypes : Set objTrustTypes = CreateObject("Scripting.Dictionary")
objTrustTypes.Add 4, "DCE"
objTrustTypes.Add 3, "MIT"
objTrustTypes.Add 2, "UpLevel"
objTrustTypes.Add 1, "DownLevel"
' Trust Attributes - http://msdn.microsoft.com/en-us/library/cc223779(PROT.10).aspx
Dim objTrustAttributes : Set objTrustAttributes = CreateObject("Scripting.Dictionary")
objTrustAttributes.Add 128, "UsesRC4Encryption"
objTrustAttributes.Add 64, "TreatAsExternal"
objTrustAttributes.Add 32, "WithinForest"
objTrustAttributes.Add 16, "CrossOrganisation"
objTrustAttributes.Add 8, "ForestTransitive"
objTrustAttributes.Add 4, "QuarantinedDomain"
objTrustAttributes.Add 2, "UpLevelOnly"
objTrustAttributes.Add 1, "NonTransitive"
' Trust Direction - http://msdn.microsoft.com/en-us/library/cc223768(PROT.10).aspx
Dim objTrustDirection : Set objTrustDirection = CreateObject("Scripting.Dictionary")
objTrustDirection.Add 3, "BiDirectional"
objTrustDirection.Add 2, "Outbound"
objTrustDirection.Add 1, "Inbound"
objTrustDirection.Add 0, "Disabled"
Dim objConnection : Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Dim objCommand : Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
Dim objRootDSE : Set objRootDSE = GetObject("LDAP://RootDSE")
objCommand.CommandText = "SELECT distinguishedName, name, trustType, trustAttributes, trustDirection, " & _
"trustPartner, whenCreated FROM 'GC://" & objRootDSE.Get("rootDomainNamingContext") & _
"' WHERE objectClass='trustedDomain'"
Set objRootDSE = Nothing
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 600
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
Dim objRecordSet : Set objRecordSet = objCommand.Execute
While Not objRecordSet.EOF
WScript.Echo "Trusted Domain: " & objRecordSet.Fields("name").Value
WScript.Echo "Trust Type: " & objTrustTypes(objRecordSet.Fields("trustType").Value)
Dim dblFlag
Dim strFlags : strFlags = ""
For Each dblFlag in objTrustAttributes
If objRecordSet.Fields("trustAttributes").Value And dblFlag Then
strFlags = strFlags & objTrustAttributes(dblFlag) & " "
End If
Next
WScript.Echo "Trust Attributes: " & strFlags
WScript.Echo "Trust Direction: " & objTrustTypes(objRecordSet.Fields("trustDirection").Value)
WScript.Echo "Trust Partner: " & objRecordSet.Fields("trustPartner").Value
WScript.Echo "Distinguished Name: " & objRecordSet.Fields("distinguishedName").Value
WScript.Echo "Created: " & objRecordSet.Fields("whenCreated").Value
objRecordSet.MoveNext
Wend
objConnection.Close
Set objRecordSet = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
ASKER
Hello Chris-Dent,
I have tested your great script and I do have a few questions:
1. What does "Trust Direction: MIT" mean? All trusts showed this.
2. Only 6 trusts showed "Trust Attributes: WithinForest " while in fact there should be 18 of these since we have 9 child domains. Other 12 were blank.
3. Two child domains do have outside trusts.They showed "Trust Attributes: QuarantinedDomain " but one showed "Trust Type: DownLevel" while other was "Trust Type: UpLevel". Would it be better to call "QuarantinedDomain" "OutsideDomain"?
Finally, we don't have any 3rd party monitoring tool besides ServersAlive. What will be a good way to monitor this? Thanks so much.
Jay
I have tested your great script and I do have a few questions:
1. What does "Trust Direction: MIT" mean? All trusts showed this.
2. Only 6 trusts showed "Trust Attributes: WithinForest " while in fact there should be 18 of these since we have 9 child domains. Other 12 were blank.
3. Two child domains do have outside trusts.They showed "Trust Attributes: QuarantinedDomain " but one showed "Trust Type: DownLevel" while other was "Trust Type: UpLevel". Would it be better to call "QuarantinedDomain" "OutsideDomain"?
Finally, we don't have any 3rd party monitoring tool besides ServersAlive. What will be a good way to monitor this? Thanks so much.
Jay
Hey Jay,
Sorry, I managed to make a bit of a mistake in the script, hence the odd appearance of MIT. Fixed below.
The attribute names are taken from the MS Article, which has a bit of a better description of each:
http://msdn.microsoft.com/en-us/library/cc223779(PROT.10).aspx
We could run something like this as a scheduled task, once a day / once a week and have it notify someone if it changes?
Chris
Const ADS_SCOPE_SUBTREE = 2
' Trust Type - http://msdn.microsoft.com/en-us/library/cc223771(PROT.10).aspx
Dim objTrustTypes : Set objTrustTypes = CreateObject("Scripting.Dictionary")
objTrustTypes.Add 4, "DCE"
objTrustTypes.Add 3, "MIT"
objTrustTypes.Add 2, "UpLevel"
objTrustTypes.Add 1, "DownLevel"
' Trust Attributes - http://msdn.microsoft.com/en-us/library/cc223779(PROT.10).aspx
Dim objTrustAttributes : Set objTrustAttributes = CreateObject("Scripting.Dictionary")
objTrustAttributes.Add 128, "UsesRC4Encryption"
objTrustAttributes.Add 64, "TreatAsExternal"
objTrustAttributes.Add 32, "WithinForest"
objTrustAttributes.Add 16, "CrossOrganisation"
objTrustAttributes.Add 8, "ForestTransitive"
objTrustAttributes.Add 4, "QuarantinedDomain"
objTrustAttributes.Add 2, "UpLevelOnly"
objTrustAttributes.Add 1, "NonTransitive"
' Trust Direction - http://msdn.microsoft.com/en-us/library/cc223768(PROT.10).aspx
Dim objTrustDirection : Set objTrustDirection = CreateObject("Scripting.Dictionary")
objTrustDirection.Add 3, "BiDirectional"
objTrustDirection.Add 2, "Outbound"
objTrustDirection.Add 1, "Inbound"
objTrustDirection.Add 0, "Disabled"
Dim objConnection : Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Dim objCommand : Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
Dim objRootDSE : Set objRootDSE = GetObject("LDAP://RootDSE")
objCommand.CommandText = "SELECT distinguishedName, name, trustType, trustAttributes, trustDirection, " & _
"trustPartner, whenCreated FROM 'GC://" & objRootDSE.Get("rootDomainNamingContext") & _
"' WHERE objectClass='trustedDomain'"
Set objRootDSE = Nothing
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 600
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
Dim objRecordSet : Set objRecordSet = objCommand.Execute
While Not objRecordSet.EOF
WScript.Echo "Trusted Domain: " & objRecordSet.Fields("name").Value
WScript.Echo "Trust Type: " & objTrustTypes(objRecordSet.Fields("trustType").Value)
Dim dblFlag
Dim strFlags : strFlags = ""
For Each dblFlag in objTrustAttributes
If objRecordSet.Fields("trustAttributes").Value And dblFlag Then
strFlags = strFlags & objTrustAttributes(dblFlag) & " "
End If
Next
WScript.Echo "Trust Attributes: " & strFlags
WScript.Echo "Trust Direction: " & objTrustDirection(objRecordSet.Fields("trustDirection").Value)
WScript.Echo "Trust Partner: " & objRecordSet.Fields("trustPartner").Value
WScript.Echo "Distinguished Name: " & objRecordSet.Fields("distinguishedName").Value
WScript.Echo "Created: " & objRecordSet.Fields("whenCreated").Value
objRecordSet.MoveNext
Wend
objConnection.Close
Set objRecordSet = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
ASKER
Thanks.
You write "have it notify someone if it changes".
Is there any tool that can detect change in a text file. For notifcation, are command line email tools the ones to use? Thanks again -- you have already solved 90% of the problem -- just trying to get your ideas about the rest 10%.
You write "have it notify someone if it changes".
Is there any tool that can detect change in a text file. For notifcation, are command line email tools the ones to use? Thanks again -- you have already solved 90% of the problem -- just trying to get your ideas about the rest 10%.
I'll modify the script in the morning (if that's okay) to have it check against a text file for changes, and notify you if something does change. Just a bit late at night for me right now :)
Good enough?
Chris
ASKER
Thanks so much. I wait for your reply.
Jay
Jay
ASKER
Chris,
Could you kindly add the section to your script that you mentioned on 2/26? Thanks.
Jay
Could you kindly add the section to your script that you mentioned on 2/26? Thanks.
Jay
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
You can only prevent it if you remove Domain Admin rights from the administrators of the child domain. I bet that would be popular ;)
However, you can always monitor the trust configuration, and potentially have a script alert you should it change. I'll knock something together to do that.
Chris