Active Directory Domain • Release: 6 Benchmark Date: 05 Jan 2026
CAT III V-243494 DS00.1120_AD
Each cross-directory authentication configuration must be documented.
Discussion
Active Directory (AD) external, forest, and realm trust configurations are designed to extend resource access to a wider range of users (those in other directories). If specific baseline documentation of authorized AD external, forest, and realm trust configurations is not maintained, it is impossible to determine if the configurations are consistent with the intended security policy.
Check Procedure
Start "Active Directory Domains and Trusts" (Available from various menus or run "domain.msc"). Select the left pane item that matches the name of the domain being reviewed. Right-click the domain name and select "Properties". Select the "Trusts" tab. For each outbound and inbound external, forest, and realm trust, record the name of the other party (domain name), the trust type, transitivity, and the trust direction. (Keep this trust information for use in subsequent checks.) Compare the list of trusts identified with documentation maintained by the ISSO. For each trust, the documentation must contain the following: Type (external, forest, or realm) Name of the other party Confidentiality, Availability, and Integrity categorization Classification level of the other party Trust direction (inbound and/or outbound) Transitivity Status of the Selective Authentication option Status of the SID filtering option If an identified trust is not listed in the documentation or if any of the required items are not documented, this is a finding.
Fix Action
Develop documentation for each AD external, forest, and realm trust configuration. At a minimum this must include: Type (external, forest, or realm) Name of the other party Confidentiality, Availability, and Integrity categorization Classification level of the other party Trust direction (inbound and/or outbound) Transitivity Status of the Selective Authentication option Status of the SID filtering option