Re: Externally administered servers in domain - policies and procedures for joining

[Chris Green <cmgreen () UAB EDU>]

You'll likely get much better answers from win-hied mailing list.   We
support delegated OU management where there is an OU for each area
where computer accounts and group accounts are created.   We centrally
handle user provisioning.

We've setup one way trusts to support people using our accounts in a
separate domain.  I'm not a big fan of this.  Per the SANS windows
security course, the main (only?) justification for separate domains
is politics and "who has domain admin".

We restrict with a proxyadmin tool:

 Group Creation (must conform to naming convention; unfortunately
we've not been able to prevent renaming of groups from AD)
 GPO creation (most people that want 10 GPOs really don't know how to
use GPOs)
 Joining new systems to domain (Must create account first and conform
to naming convention)
 Resource and User account creation.

AFAICT, there's no real risks associated with having someone's server
in the domain that doesn't also exist by issuing credentials to the
system.  The big one of allowing impersonation is the only one I can
think of.

Domain admins should NEVER login to the departmental servers and that
functionality must be maintained completely separate user accounts.

We also go through a pretty big set of what is allowed through central
GPO application versus what is done at the OU level.  That means
things like screensaver passwords are handled only at the departmental
OU level.   That was a concession to politics long ago and has served
us well in the "trust us to provide the domain, we trust you to
maintain what you have to".

On Jun 9, 2009, at 1:56 PM, Gary Flynn wrote:
> Hi,
>
> Our IT administered Windows servers are in an IT administered
> domain but departmental servers are either not in a domain
> at all, are in separate and isolated departmental domains,
> or in domains where a forest trust exists.
>
> We've been requested to consider joining some of the
> departmental administered web servers into our IT domain in
> separate OUs.
>
> I was at first reluctant to put externally administered
> servers in our domain but then realized all our domain
> joined desktops are in our domain. How much worse could
> a server be? :)
>
> Granted, the servers are internet exposed but how much
> risk does that pose to the domain?
>
> I see advantages and disadvantages.
>
> Advantages:
> Ability to leverage central IT patching, inventory,
> and monitoring services to better protect the server.
>
> Disadvantages:
> Having an externally administered, internet exposed
> server joined to the same domain as our critical
> data center systems.
>
> The other thing I was wondering about was an appropriate
> process for the migration. How much effort should be
> expended in verifying the integrity of the server before
> joining it to the central domain? Full forensics analysis?
> Cursory event log and network traffic analysis? Malware
> and rootkit detection tools? Recent patches and AV
> definitions?
>
> Do you have externally administered servers in the same
> domain as data center systems? Are your desktops in the
> same domain as your sensitive servers? What type of
> policies and procedures do you apply before allowing a
> device to join a domain?
>
> thanks for any enlightenment,
>
> --
> Gary Flynn
> Security Engineer
> James Madison University
> www.jmu.edu/computing/security