Externally administered servers in domain - policies and procedures for joining

[Gary Flynn <flynngn () JMU EDU>]

Hi,

Our IT administered Windows servers are in an IT administered
domain but departmental servers are either not in a domain
at all, are in separate and isolated departmental domains,
or in domains where a forest trust exists.

We've been requested to consider joining some of the
departmental administered web servers into our IT domain in
separate OUs.

I was at first reluctant to put externally administered
servers in our domain but then realized all our domain
joined desktops are in our domain. How much worse could
a server be? :)

Granted, the servers are internet exposed but how much
risk does that pose to the domain?

I see advantages and disadvantages.

Advantages:
  Ability to leverage central IT patching, inventory,
  and monitoring services to better protect the server.

Disadvantages:
  Having an externally administered, internet exposed
  server joined to the same domain as our critical
  data center systems.

The other thing I was wondering about was an appropriate
process for the migration. How much effort should be
expended in verifying the integrity of the server before
joining it to the central domain? Full forensics analysis?
Cursory event log and network traffic analysis? Malware
and rootkit detection tools? Recent patches and AV
definitions?

Do you have externally administered servers in the same
domain as data center systems? Are your desktops in the
same domain as your sensitive servers? What type of
policies and procedures do you apply before allowing a
device to join a domain?

thanks for any enlightenment,

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature