The risk of domain joining your servers is that if a port scanner (aka hacker) can  find an  open Netbios port, you would have compromised that server and also the laterally adjoined servers in that domain. Sounds pretty nasty, doesn’t it?

However, this particular risk is easily mitigated by intelligent firewall policies. In fact,  domain membership will make the firewall configuration easier and more secure.

Advantages of Domain Membership:

  • Granular user/group access controls for all protocols
  • Full support for user certificate authentication
  • Full support for Group Policy management

Disadvantages of Domain Membership

  • If your firewall is compromised, your entire domain may be at risk. However, keep in mind that if your firewall is compromised, there is little on your network that is not at risk.

Summary

While ‘security’ concerns are most often cited to keep servers (IIS servers, DB Servers, App Servers…) off domains (i.e. are NOT domain joined), these concerns are old school. With newer firewall technologies, the best practice actually involves Domain-Joining all the servers you need to. Of course, keeping your data tier in it’s own VLAN – separated from the web-tier would be part of the best practices.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

 Twitter Linkedin