Last updated: April 29, 2026
AD trusts let a user in one domain authenticate to resources in another. They come in many flavors — parent/child, tree, external, forest, realm. Each has different SID filtering behavior. Each has different attack surfaces. Many enterprises have trusts they forgot exist, left over from mergers, vendor integrations, or legacy architectures. Those forgotten trusts are often the attack path.
Why trusts are risky
A trust lets users from the trusted domain authenticate against the trusting domain. The default trust behavior:
- Transitive: if A trusts B and B trusts C, does A trust C? Varies by trust type.
- Bidirectional: some trusts go both ways; some one-way.
- SID filtering: whether SIDs from trusted domain are filtered at boundary. Without filtering, SIDHistory attacks work.
- Selective authentication: whether all users from trusted domain are accepted vs. specific ones.
Default trust creation doesn’t always enable SID filtering. Mergers often result in trusts configured quickly “to make things work” without full security review. Years later, the trust remains with original permissive settings.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.