Trust Relationships

The curved arrows between domains on the topology graph represent trust relationships.

To display trust relationships:

  • On the topology graph, hover over the curved arrows.

    Tenable Identity Exposure displays the trust relationships display specific attributes between two entities.

The color of a trust relationship depends on its threat level:

  • Red for dangerous trusts

  • Orange for regular trusts

  • Blue for unknown trusts

For more information, see Dangerous Trusts.

The trust attribute information indicates the trust direction as unidirectional or bidirectional (incoming/outgoing) and displays one of the following values:

Value Description
Non-transitive By default, intra-forest trusts are transitive trusts. Tenable Identity Exposure uses this flag to convert them into non-transitive trusts. On the other hand, inter-forest trusts are non-transitive by default, hence the presence of the forest transitive flag. Tenable Identity Exposure displays this value if an intra-forest inter-domain trust exists. The trust grants no access and delegates no authority to interconnected domains beyond the forest.
Forest transitive

Indicates that a transitive trust exists between two forests. The trust granted to another domain can pass to the trusted forest.

Within forest Indicates that an inter-domain trust exists within the same forest. If WITHIN_FOREST and QUARANTINED_DOMAIN are both present, the trust is referred to as QuarantinedWithinForest.
Up level only

Indicates that only clients running Windows 2000 operating systems and later can use this trust.

Treat as external (Only when FOREST_TRANSITIVE applies) Indicates an external type of trust. Tenable Identity Exposure modifies the security identifier (SID) filtering on the trust and authorizes the SIDs whose relative identifier (RID) is greater than or equal to 1000 to pass across the forest.
Quarantined Indicates that Tenable Identity Exposure enabled the filtering of the SIDs whose RID is greater than or equal to 1000 for the trust. By default, Tenable Identity Exposure only enables it for an external trust but it can also apply to a parent/child trust or a forest trust.
Cross-organization authentication

Indicates that Tenable Identity Exposure enabled selective authentication and can use it across domain or forest trusts.

Selective authentication See Cross-organization authentication.
Cross organization without TGT delegation Displays if the delegation on a trusted domain is fully disabled (never sets the ok-as-delegate option in the issued service tickets).
RC4 encryption: Indicates that the trust supports RC4-encryption keys for Kerberos exchanges. This flag is present only if the trustType applies to TRUST_TYPE_MIT.
AES keys

Indicates that the trust supports AES-encryption keys for Kerberos exchanges.

PIM trust If the FOREST_TRANSITIVE and TREAT_AS_EXTERNAL flags apply and the QUARANTINED_DOMAIN flag is not on, the PIM trust flag indicates that the trusted forest manages privileged identities (Privileged Identity Management) regarding SID filtering (local SIDs can pass across this trust). PIM trust act to implement bastion forests.
No attribute Indicates that the external trust has no specific attribute.