To Domain Join or Not

The risk of domain joining your servers is that if a port scanner (aka hacker) can  find an  open Netbios port, you would have compromised that server and also the laterally adjoined servers in that domain. Sounds pretty nasty, doesn’t it?

However, this particular risk is easily mitigated by intelligent firewall policies. In fact,  domain membership will make the firewall configuration easier and more secure.

Advantages of Domain Membership:

  • Granular user/group access controls for all protocols
  • Full support for user certificate authentication
  • Full support for Group Policy management

Disadvantages of Domain Membership

  • If your firewall is compromised, your entire domain may be at risk. However, keep in mind that if your firewall is compromised, there is little on your network that is not at risk.

Summary

While ‘security’ concerns are most often cited to keep servers (IIS servers, DB Servers, App Servers…) off domains (i.e. are NOT domain joined), these concerns are old school. With newer firewall technologies, the best practice actually involves Domain-Joining all the servers you need to. Of course, keeping your data tier in it’s own VLAN – separated from the web-tier would be part of the best practices.

Cloud Advisory Services | Security Advisory Services | Data Science Advisory and Research

Specializing in high volume web and cloud application architecture, Anuj Varma’s customer base includes Fortune 100 companies (dell.com, British Petroleum, Schlumberger).

All content on this site is original and owned by AdverSite Web Holdings, Inc. – the parent company of anujvarma.com. No part of it may be reproduced without EXPLICIT consent from the owner of the content.

Anuj Varma – who has written posts on Anuj Varma, Technology Architect.


Leave a Reply

Your email address will not be published. Required fields are marked *