Security Risks of a One-Way Trust Relationship between Domains

Your vendor would not have access resources in your forest with a one-way trust, so the risk to your environment is somewhat minimized on ad AD functional level.

On a network level, there are a truckload of ports that need to be opened between your domain controllers and the vendors domain controllers. If their domain controllers or application servers are compromised, the compromised vendor machines may have direct network-level access to attack your domain controllers.

Attackers may also be able to compromise the hash of your accounts that are authenticating on the vendor's systems, and use those compromised credentials to gain access to your environment.

Federated solutions are usually a far better choice.


The security risk of a domain trust are that your environment is compromised it could be possible to use sidhistory for privilege escalation. Most secure is cross forest trust as that allows for the secure transmission of foreign security principles (and more importantly they are identified as foreign). You can also use selective authentication to ensure that only the proper FSP is allowed in.

The one indirect issue with trusts of any kind is that authenticated users membership means authenticated users - that will include authenticated users from the external forest.