archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/ds/security/tools/trustdom2/trust-tp.txt

118 lines
3.1 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. Trust Test Plan
  2. ---------------
  5. 1. Preparation
  7. Configurations needed:
  8. - two or more DCs
  9. - on each DC, make Administrator the current account and be sure to have TcbPrivilege
  10. - on each DC, create a test user account
  12. To automate these steps, use \\scratch\scratch\cristiai\trust\luok.cmd
  13. (luok.cmd requires buildnum.exe, arights.exe and logontst.exe in path)
  15. Depending on the relationships desired between these DCs (parent child,
  16. same enterprise) one or more demote/promote operations (using dcpromo or
  17. an equivalent command line tool) might be needed between test cases.
  19. 1.1 Required executables:
  20. trustdom.exe
  21. arights.exe
  22. logontst.exe
  24. From idw:
  25. buildnum.exe (only for luok.cmd)
  27. 2. Basic Test Case Scenario
  29. Basically, for each domain and different modes of trust links, the test
  30. users from the other machines will be logged on the current domain.
  32. The steps are:
  33. - set trust links, if necessary (because sometimes trusts are implicitly
  34. defined, by example if there is a parent-child relationship between
  35. those domains)
  36. - for a given domain:
  37. - preparing to logon a user from another domain, grant that user
  38. the InteractiveLogonRight (using arights.exe)
  39. - test logon for that user
  40. - at the end, you can reset the trust links to the status prior to the
  41. test; take care not to delete trusts not set up by the test, like
  42. child-parent trusts
  44. 3. Notation
  46. Domain names in uppercase only.
  48. X ----> Y
  49. - one way trust from X to Y, i.e. users from Y can log to X but not the
  50. other way; such a trust link is outbound on X and inbound on Y; it is
  51. listed by a 'trustdom X -list' command as "Y ,O,T_uplevel,_,_,_"
  52. (or T_downlevel, depending if the machines involved are NT5s or NT4s)
  54. X <---> Y
  55. - two way trust; it is listed by a 'trustdom X -list' command as
  56. "Y ,B,T_uplevel,_,_,_"
  58. X=P(Y)
  59. - X is parent for domain Y
  61. [A,B,C]
  62. - domains A, B, C are in the same enterprise
  64. A\User
  65. - user account from domain A
  67. B:A\User
  68. - attempt to logon user A\User on domain B
  70. Text after // is used as a comment.
  72. 4. Test Cases
  74. Sanity check: on each domain you can perform a local logon with the
  75. local user account (don't forget to grant it locally too the
  76. InteractiveLogonRight)
  77. So, for each domain you can perform a "DOM:DOM\User = PASS"
  79. 4.1 Using Two Domains:
  81. 4.1.1 No trust link between A and B
  82. A:B\User = FAIL
  83. B:A\User = FAIL
  85. 4.1.2 A ---> B
  86. A:B\User = PASS
  87. B:A\User = FAIL
  89. 4.1.3 A <--> B
  90. A:B\User = PASS
  91. B:A\User = PASS
  93. 4.2 Using Three Domains:
  95. 4.2.1 Separate enterprises (i.e. [A] [B] [C])
  96. Logon must succeed depending only on the existance of the trust between
  97. the two domain involved, no transitivity
  99. That is for A <--> B --> C,
  100. A:B\User = PASS // because of A <--> B
  101. A:C\User = FAIL // no transitivity
  103. B:A\User = PASS // because of A <--> B
  104. B:C\User = PASS // because of B ---> C
  106. C:A\User = FAIL
  107. C:B\User = FAIL
  109. 4.2.2 [A,B,C] and B=P(A)
  110. All combinations must pass, that is:
  111. A:B\User = PASS
  112. A:C\User = PASS // due to transitivity inside the enterprise
  114. B:A\User = PASS
  115. B:C\User = PASS
  117. C:A\User = PASS // due to transitivity inside the enterprise
  118. C:B\User = PASS