Educause Security Discussion mailing list archives
Re: Externally administered servers in domain - policies and procedures for joining
From: Chris Green <cmgreen () UAB EDU>
Date: Fri, 12 Jun 2009 18:11:15 -0500
You'll likely get much better answers from win-hied mailing list. We support delegated OU management where there is an OU for each area where computer accounts and group accounts are created. We centrally handle user provisioning. We've setup one way trusts to support people using our accounts in a separate domain. I'm not a big fan of this. Per the SANS windows security course, the main (only?) justification for separate domains is politics and "who has domain admin". We restrict with a proxyadmin tool: Group Creation (must conform to naming convention; unfortunately we've not been able to prevent renaming of groups from AD) GPO creation (most people that want 10 GPOs really don't know how to use GPOs) Joining new systems to domain (Must create account first and conform to naming convention) Resource and User account creation. AFAICT, there's no real risks associated with having someone's server in the domain that doesn't also exist by issuing credentials to the system. The big one of allowing impersonation is the only one I can think of. Domain admins should NEVER login to the departmental servers and that functionality must be maintained completely separate user accounts. We also go through a pretty big set of what is allowed through central GPO application versus what is done at the OU level. That means things like screensaver passwords are handled only at the departmental OU level. That was a concession to politics long ago and has served us well in the "trust us to provide the domain, we trust you to maintain what you have to". On Jun 9, 2009, at 1:56 PM, Gary Flynn wrote:
Hi, Our IT administered Windows servers are in an IT administered domain but departmental servers are either not in a domain at all, are in separate and isolated departmental domains, or in domains where a forest trust exists. We've been requested to consider joining some of the departmental administered web servers into our IT domain in separate OUs. I was at first reluctant to put externally administered servers in our domain but then realized all our domain joined desktops are in our domain. How much worse could a server be? :) Granted, the servers are internet exposed but how much risk does that pose to the domain? I see advantages and disadvantages. Advantages: Ability to leverage central IT patching, inventory, and monitoring services to better protect the server. Disadvantages: Having an externally administered, internet exposed server joined to the same domain as our critical data center systems. The other thing I was wondering about was an appropriate process for the migration. How much effort should be expended in verifying the integrity of the server before joining it to the central domain? Full forensics analysis? Cursory event log and network traffic analysis? Malware and rootkit detection tools? Recent patches and AV definitions? Do you have externally administered servers in the same domain as data center systems? Are your desktops in the same domain as your sensitive servers? What type of policies and procedures do you apply before allowing a device to join a domain? thanks for any enlightenment, -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Externally administered servers in domain - policies and procedures for joining Gary Flynn (Jun 09)
- <Possible follow-ups>
- Re: Externally administered servers in domain - policies and procedures for joining Chris Green (Jun 12)