AD Starter Scan - Dangerous Trust Relationship

medium Nessus Plugin ID 150486
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


A dangerous configuration on an outbound trust relationship is configured.


No security mechanism has been activated on a trust relationship, allowing lateral movement across AD domains. Two attack scenarios are checked in this plugin:

- SID history injection (by checking the SID filter quarantining configuration)
- Exploitability of the 'printer bug' (by checking if selective authentication or TGT delegation is correctly configured) Note: This plugin is part of the Active Directory Starter Scan Template and is meant to be used for preliminary analysis of AD hosts. For more information on the issues discovered by the Active Directory Starter Scan plugins, please refer to this blog post -


Both SID filter quarantining (set the option on the trust) and protections against the 'printer bug' should be applied.

Two protections can be used against the 'printer bug': disabling the possibility of doing a TGT delegation or configuring selective authentication on the trust.

See Also

Plugin Details

Severity: Medium

ID: 150486

File Name: adsi_trust_unsafe.nbin

Version: 1.10

Type: local

Agent: windows

Family: Windows

Published: 7/29/2021

Updated: 9/20/2021

Dependencies: adsi_enum.nbin

Risk Information

CVSS Score Source: manual

CVSS Score Rationale: Score based on an in-depth analysis by tenable.


Risk Factor: Medium

Base Score: 6.8

Vector: AV:N/AC:H/Au:M/C:C/I:C/A:C


Risk Factor: Medium

Base Score: 6.6

Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:microsoft:active_directory

Required KB Items: Secret/adsi/username/0, Secret/adsi/password/0, adsi/host/0, adsi/domain/0, adsi_enum_directory_trusts/available