A vendor is asking us to create a one-way trust relationship between their domain and ours so that our users can log onto their applications/servers with credentials from our domain.
What are the security risks involved? My first thought is to deny the request and insist that they install their application on servers we have verified and that we monitor/scan on our domain. But I'd like to have something to back me up so that it isn't just "because I said so."
EDIT: Their servers are located on-site here but on their own domain (something.local).
Best Answer
Your vendor would not have access resources in your forest with a one-way trust, so the risk to your environment is somewhat minimized on ad AD functional level.
On a network level, there are a truckload of ports that need to be opened between your domain controllers and the vendors domain controllers. If their domain controllers or application servers are compromised, the compromised vendor machines may have direct network-level access to attack your domain controllers.
Attackers may also be able to compromise the hash of your accounts that are authenticating on the vendor's systems, and use those compromised credentials to gain access to your environment.
Federated solutions are usually a far better choice.