1
00:00:07,000 --> 00:00:11,100
In some cases trust can present security issues.

2
00:00:11,500 --> 00:00:15,790
Additionally if you do not configure a trust properly.

3
00:00:15,790 --> 00:00:22,020
Users who belong to another domain can gain unwanted access to some resources.

4
00:00:22,030 --> 00:00:28,810
Several technology technologies can help you to control and manage security in a trust.

5
00:00:28,810 --> 00:00:32,020
Let's start with seed filtering by default.

6
00:00:32,020 --> 00:00:39,490
When you establish a forest or domain trust you can only enable a domain current team which is also

7
00:00:39,490 --> 00:00:41,360
known as seed filtering.

8
00:00:41,470 --> 00:00:49,690
When a user authenticate in a trusted domain the user presents authorization data that includes the

9
00:00:49,690 --> 00:00:54,190
seeds of all of the groups to which the user belongs.

10
00:00:54,190 --> 00:01:03,330
Additionally the users oath and authorization data includes the seed history of the user and the user's

11
00:01:03,340 --> 00:01:12,190
groups set filter and prevents misuse of the seed history attribute by allowing reading of the seed

12
00:01:12,490 --> 00:01:20,530
only from the object set attribute and not the seed history attribute in a trusted domain Siniora.

13
00:01:20,650 --> 00:01:28,930
The administrator can use administrative credentials in the trusted domain to load seats that are the

14
00:01:28,930 --> 00:01:37,750
same as seats of privileged accounts in your domain into the seed history attribute of a user that the

15
00:01:37,750 --> 00:01:44,110
user would then have inappropriate levels of access to resources in your domain.

16
00:01:44,110 --> 00:01:52,390
Seed filtering prevents this by enabling the trust and domain to filter out seeds from the trusted domain

17
00:01:52,750 --> 00:01:57,250
that are not the primary seeds of the security principles.

18
00:01:57,280 --> 00:02:01,300
Each seed includes the seat of the originated domain.

19
00:02:01,630 --> 00:02:10,780
So when a user from a trusted domain presents the lists of the users seats and the seats of the users

20
00:02:10,780 --> 00:02:20,050
groups seed filter and instructs the trust and domain to discard all suits without the domain C of the

21
00:02:20,050 --> 00:02:28,960
trusted domain so set filter and is enabled by default for all out go entrusts to external domains and

22
00:02:28,960 --> 00:02:35,600
forests and other technology that can help you to control and manage security in a thrusters.

23
00:02:35,710 --> 00:02:37,830
Selective authentication.

24
00:02:37,990 --> 00:02:45,700
When you create an external trust or a forest trust you can manage the scope of authentication of trusted

25
00:02:45,700 --> 00:02:47,680
security principles.

26
00:02:47,680 --> 00:02:56,020
There are two modes of authentication for an external or Forest Trust domain wide authentication for

27
00:02:56,020 --> 00:03:04,720
an external trust or forest wide authentication for a Forest Trust and selective authentication.

28
00:03:04,720 --> 00:03:12,880
Choosing domain white or forest white authentication enables all trusts trusted the users to authenticate

29
00:03:12,880 --> 00:03:20,650
for services and access on all computers and the trusted domains therefore trusted.

30
00:03:20,650 --> 00:03:28,250
Users can be given permission to access the resources anywhere in the trust and domain.

31
00:03:28,300 --> 00:03:37,540
If you use this authentication mode all users from a trusted domain or forest are considered authenticated

32
00:03:37,570 --> 00:03:40,740
users in the trust and domain last.

33
00:03:40,750 --> 00:03:48,860
If you choose domain white or forest white authentication any resource that has permissions granted

34
00:03:49,180 --> 00:03:57,660
authenticated users is accessible immediately to trust and sorry to trusted the main users.

35
00:03:57,880 --> 00:04:06,180
If you choose selective authentication all users since a trusted domain are trusted identities.

36
00:04:06,790 --> 00:04:16,180
However they are allowed to authenticate only for services on computers that you specify when they use

37
00:04:16,180 --> 00:04:18,190
selective authentication.

38
00:04:18,190 --> 00:04:26,980
Users will not become authenticated users in the target domain but you can explicitly grant them the

39
00:04:27,340 --> 00:04:32,740
allowed to authenticate permission on specific computers.

40
00:04:32,740 --> 00:04:39,700
For example imagine that you have an external trust with a partner organizations domain you want to

41
00:04:39,700 --> 00:04:48,880
ensure that only users from the partner organisations marketing group can access shared folders on only

42
00:04:48,880 --> 00:04:51,930
one of your many file servers.

43
00:04:51,970 --> 00:04:57,370
You can configure selective authentication for the trust relationship.

44
00:04:57,400 --> 00:05:06,670
You can then give the trusted users the right to authenticate only for that one file server the next

45
00:05:06,670 --> 00:05:14,090
technology that can help you control and manage security in a drugstore is name suffix rout.

46
00:05:14,260 --> 00:05:23,770
Name suffix routing is a mechanism for managing our authenticated requests route across forests run

47
00:05:23,770 --> 00:05:32,200
and Windows Server 2003 or newer that are joined by forest trusts to simplify the administration of

48
00:05:32,560 --> 00:05:34,780
authentication requests.

49
00:05:34,780 --> 00:05:43,360
When you create a Forest Trust Edit Yes the roads all unique names suffixes by default a unique name

50
00:05:43,360 --> 00:05:53,260
suffix is a name suffix within a forest such as a European suffix as and suffix or DNS forest or domain

51
00:05:53,260 --> 00:05:59,050
tree name that is not subordinate to any other name suffix.

52
00:05:59,050 --> 00:06:06,780
For example the genus forest name for brick and dot com is a unique name suffix within the four broken

53
00:06:06,850 --> 00:06:10,700
dot com forest aided years routs.

54
00:06:10,900 --> 00:06:19,660
All names that are subordinate to unique names suffixes implicitly for example if you your forest users

55
00:06:19,930 --> 00:06:28,130
for brick and dot com as a unique name suffix authentication request for all child demands of a brick

56
00:06:28,130 --> 00:06:36,160
and dot com which is child demand for broken dot com are rounded because the child domains are part

57
00:06:36,160 --> 00:06:39,430
of the fabric and dot com name suffix child.

58
00:06:39,520 --> 00:06:44,750
Names appear in the Active Directory domains and trusts snap in.

59
00:06:44,890 --> 00:06:52,180
If you want to exclude members of a child demand from authenticate in a specified forest you can disable

60
00:06:52,180 --> 00:06:55,150
name suffix Rudin for that name.

61
00:06:55,180 --> 00:06:59,870
You can also disable routing for the forest name itself.

62
00:06:59,890 --> 00:07:08,110
Now if you want to additionally read some more information about these technologies you can use these

63
00:07:08,440 --> 00:07:17,650
links and read more about seed filtering enabling selective authentication of the Forest Trust and read

64
00:07:17,650 --> 00:07:18,320
about.

65
00:07:18,460 --> 00:07:19,780
SUFFIX root.

66
00:07:20,050 --> 00:07:22,030
Please refer to this links.