The risk of domain joining your servers is that if a port scanner (aka hacker) can find an open Netbios port, you would have compromised that server and also the laterally adjoined servers in that domain. Sounds pretty nasty, doesn’t it?
However, this particular risk is easily mitigated by intelligent firewall policies. In fact, domain membership will make the firewall configuration easier and more secure.
Advantages of Domain Membership:
- Granular user/group access controls for all protocols
- Full support for user certificate authentication
- Full support for Group Policy management
Disadvantages of Domain Membership
- If your firewall is compromised, your entire domain may be at risk. However, keep in mind that if your firewall is compromised, there is little on your network that is not at risk.
While ‘security’ concerns are most often cited to keep servers (IIS servers, DB Servers, App Servers…) off domains (i.e. are NOT domain joined), these concerns are old school. With newer firewall technologies, the best practice actually involves Domain-Joining all the servers you need to. Of course, keeping your data tier in it’s own VLAN – separated from the web-tier would be part of the best practices.