Domaing Joining Windows Servers
-
So after my fellow MLs gave me pause about WSUS and suggested using GPO for managing patches for my Windows servers, I'm reminded of something I asked (surprisingly only a year ago) in SpiceWorks about domain joining servers. A year later, I'm a bit wiser, and am ready to explore this again (and have more authority to make infrastructure decisions).
My hesitation about domain joining the local office servers is based on the fact this would open more ports for attack. However, the servers that are public facing (Spiceworks and the two VMs with IIS) are behind a firewall with NAT, and no ingress traffic would be allowed to them through the firewall that isn't HTTP/HTTPS. So perhaps it would be reasonable to think these servers wouldn't be as susceptible to attacks from the outside world. Since I've never compromised a server before, I'm not sure exactly how an attack would happen and spread over my network simply because a server is domain joined -- other than the fact some kind of malware gets installed that tries to communicate to other devices over X port.
My hesitation about joining the data center servers (living behind a firewall with NAT) is the same with the added caveat that the connection between those servers and the local office is a site-to-site VPN. If those servers were to be domain joined, perhaps it would be best to have a read-only domain controller at the data center site.
On the other hand, we've got by without having these servers as a part of a domain; however, I'm wary about simply saying "if it's not broke, don't fix it" or perhaps saying "if it works, why look at something different." No time like the present to start improving infrastructure.
Below are the servers in question, should you want to opine about the merits and flaws of domain-joining your Windows servers.
Local Office
All workstations are domain-joined.
Two physical servers- Sage server (is also a domain controller, DHCP, and print server) -- soon to become a VM and will only be the Sage server, no other roles
- Hyper-V 2016 server (domain-joined)*
- Domain controller VM (has FSMO roles, is also a file server, NPS, and CA)
- Spiceworks VM
- Windows Server 2012 R2 VM (mimics production IIS server)
- Windows Server 2012 R2 VM (mimics production SQL server)
- Windows Server 2012 R2 VM (mimics production REDIS server)
- Windows Server 2012 R2 VM (used a demo site, has IIS / SQL / REDIS on it)
- Windows 7 VM
- CentOS 7 VM (wiki)
*only the hypervisor and the DC VM are a part of the domain.
Data Center
Physical Servers (yes, you're reading right, few VMs -- decisions made before my rise to power)- Server 2012 R2 (IIS server)
- Server 2012 R2 (SQL server)
- Server 2012 R2 with Hyper-V role installed
- On the physical server itself Yosemite backup server is running
- Server 2012 R2 VM (REDIS)
- Ubuntu Server VM (Postfix)
-
Wait... so nothing is part of the domain in your environment? Only the domain controller and the Hyper-V host?
-
@coliver said in Domaing Joining Windows Servers:
Wait... so nothing is part of the domain in your environment? Only the domain controller and the Hyper-V host?
The workstations are as is the Sage server / 2nd DC. But correct nothing else is and methinks despite the hesitation, that needs to change.
-
Yes, it should probably change. Central authentication/authorization is one of the key components of Active Directory (or LDAP). You'll be able to work with Group Policies, etc, etc. You will even have a decent password management platform.
I really can't think of a single reason, outside of maybe internet facing servers (and then it's a stretch), that you wouldn't join your servers to the domain.
-
Wow - I've rarely seen someone have so many server not be domain joined.
WSUS wouldn't really help you in your current setup (at least not normally). WSUS is typically applied to devices through GPO. Since those servers are in AD, they don't have GPO. So you could manually put the WSUS info in, and those servers I guess could get managed by WSUS, I've never tried.
The biggest reason to not domain join them in my mind, is personal security, not hacker security. i.e. your domain admins aren't allowed to access the box.
Assuming they are - I'd join them up personally. -
@coliver said in Domaing Joining Windows Servers:
Yes, it should probably change. Central authentication/authorization is one of the key components of Active Directory (or LDAP). You'll be able to work with Group Policies, etc, etc. You will even have a decent password management platform.
I really can't think of a single reason, outside of maybe internet facing servers (and then it's a stretch), that you wouldn't join your servers to the domain.
That's why I linked the question from a year ago on SW. Now that I think about it, if I have good control over the traffic coming into my network from the Internet, it seems the opening of the ports necessary for AD isn't really a problem.
-
@eddiejennings said in Domaing Joining Windows Servers:
@coliver said in Domaing Joining Windows Servers:
Yes, it should probably change. Central authentication/authorization is one of the key components of Active Directory (or LDAP). You'll be able to work with Group Policies, etc, etc. You will even have a decent password management platform.
I really can't think of a single reason, outside of maybe internet facing servers (and then it's a stretch), that you wouldn't join your servers to the domain.
That's why I linked the question from a year ago on SW. Now that I think about it, if I have good control over the traffic coming into my network from the Internet, it seems the opening of the ports necessary for AD isn't really a problem.
I guess I'm not understanding. Why would you open up ports? Your firewall should be closed to all inbound connections and you should approve things as they come up. Is your network wide open?
-
@dashrender said in Domaing Joining Windows Servers:
Wow - I've rarely seen someone have so many server not be domain joined.
WSUS wouldn't really help you in your current setup (at least not normally). WSUS is typically applied to devices through GPO. Since those servers are in AD, they don't have GPO. So you could manually put the WSUS info in, and those servers I guess could get managed by WSUS, I've never tried.
The biggest reason to not domain join them in my mind, is personal security, not hacker security. i.e. your domain admins aren't allowed to access the box.
Assuming they are - I'd join them up personally.Yeah, considering WSUS made me take a step back and ask "Why am I still following the design of [insert predecessor] and keeping these machines off the domain?"
-
@eddiejennings said in Domaing Joining Windows Servers:
Yeah, considering WSUS made me take a step back and ask "Why am I still following the design of [insert predecessor] and keeping these machines off the domain?"
Right, Again there can be reasons to not put them on the domain, but look at all the big deployments - I know you can't really - they do domain join everything they can. Using AD as the central authentication, along with the AD suite is one of the major advantages of the MS ecosystem (of course, nix also has these features/functions). Not domain joining just makes everything an island.
-
@coliver said in Domaing Joining Windows Servers:
@eddiejennings said in Domaing Joining Windows Servers:
@coliver said in Domaing Joining Windows Servers:
Yes, it should probably change. Central authentication/authorization is one of the key components of Active Directory (or LDAP). You'll be able to work with Group Policies, etc, etc. You will even have a decent password management platform.
I really can't think of a single reason, outside of maybe internet facing servers (and then it's a stretch), that you wouldn't join your servers to the domain.
That's why I linked the question from a year ago on SW. Now that I think about it, if I have good control over the traffic coming into my network from the Internet, it seems the opening of the ports necessary for AD isn't really a problem.
I guess I'm not understanding. Why would you open up ports? Your firewall should be closed to all inbound connections and you should approve things as they come up. Is your network wide open?
The opening of ports refers to the servers themselves, not the firewall. A non-domain joined server isn't going to be listening for traffic on X ports that would be open on a server that's part of a domain.
-
@eddiejennings said in Domaing Joining Windows Servers:
@coliver said in Domaing Joining Windows Servers:
@eddiejennings said in Domaing Joining Windows Servers:
@coliver said in Domaing Joining Windows Servers:
Yes, it should probably change. Central authentication/authorization is one of the key components of Active Directory (or LDAP). You'll be able to work with Group Policies, etc, etc. You will even have a decent password management platform.
I really can't think of a single reason, outside of maybe internet facing servers (and then it's a stretch), that you wouldn't join your servers to the domain.
That's why I linked the question from a year ago on SW. Now that I think about it, if I have good control over the traffic coming into my network from the Internet, it seems the opening of the ports necessary for AD isn't really a problem.
I guess I'm not understanding. Why would you open up ports? Your firewall should be closed to all inbound connections and you should approve things as they come up. Is your network wide open?
The opening of ports refers to the servers themselves, not the firewall. A non-domain joined server isn't going to be listening for traffic on X ports that would be open on a server that's part of a domain.
This is true, but these ports are pretty locked down just like port 80 and 443 are locked down. Short of finding a vulnerability, there's not that much to worry about. Of course, don't have open ports just to have open ports either.
-
IIRC, and it's been awhile, but I'm pretty sure that LDAP clients reach out to domain servers. So the only thing that would need additional ports open would be the domain controller, which already has those ports open. The only ones that need to be opened are 389 and maybe 636 if you're doing LDAPS.
-
@coliver said in Domaing Joining Windows Servers:
IIRC, and it's been awhile, but I'm pretty sure that LDAP clients reach out to domain servers. So the only thing that would need additional ports open would be the domain controller, which already has those ports open. The only ones that need to be opened are 389 and maybe 636 if you're doing LDAPS.
Which is further drawing into question my hesitations of the past, and I'd of course not have domain controllers receiving any traffic from the outside world that doesn't travel over some kind of tunnel.
-
@eddiejennings said in Domaing Joining Windows Servers:
So after my fellow MLs gave me pause about WSUS and suggested using GPO for managing patches for my Windows servers...
I'd look at Salt or Ansible for this. Or wait for Sodium, as they plan to do it.
-
No need to domain join Spiceworks. You could just leave that out.
-
@eddiejennings said in Domaing Joining Windows Servers:
@coliver said in Domaing Joining Windows Servers:
@eddiejennings said in Domaing Joining Windows Servers:
@coliver said in Domaing Joining Windows Servers:
Yes, it should probably change. Central authentication/authorization is one of the key components of Active Directory (or LDAP). You'll be able to work with Group Policies, etc, etc. You will even have a decent password management platform.
I really can't think of a single reason, outside of maybe internet facing servers (and then it's a stretch), that you wouldn't join your servers to the domain.
That's why I linked the question from a year ago on SW. Now that I think about it, if I have good control over the traffic coming into my network from the Internet, it seems the opening of the ports necessary for AD isn't really a problem.
I guess I'm not understanding. Why would you open up ports? Your firewall should be closed to all inbound connections and you should approve things as they come up. Is your network wide open?
The opening of ports refers to the servers themselves, not the firewall. A non-domain joined server isn't going to be listening for traffic on X ports that would be open on a server that's part of a domain.
A domain joined one isn't either. AD does not reach out to clients. The clients reach out to the servers, and the servers are already opened up.
-
@coliver said in Domaing Joining Windows Servers:
IIRC, and it's been awhile, but I'm pretty sure that LDAP clients reach out to domain servers. So the only thing that would need additional ports open would be the domain controller, which already has those ports open. The only ones that need to be opened are 389 and maybe 636 if you're doing LDAPS.
Correct, the clients do not "listen" in any way.
-
Seems odd you'd have the least secure systems on the domain, the client computers... and not have the most secure systems on the domain, the servers. With your DC and hypervisor being on the domain, how many times have those been compromised? Do you not update your servers? Do they all have internet access
-
@tim_g said in Domaing Joining Windows Servers:
Seems odd you'd have the least secure systems on the domain, the client computers... and not have the most secure systems on the domain, the servers. With your DC and hypervisor being on the domain, how many times have those been compromised? Do you not update your servers? Do they all have internet access
- To my knowledge they haven't been.
- No. All servers receive Windows updates.
- Yes.
And I agree, this is odd. This, and so many other things, are being fixed one bite at a time.
-
@eddiejennings said in Domaing Joining Windows Servers:
@tim_g said in Domaing Joining Windows Servers:
Seems odd you'd have the least secure systems on the domain, the client computers... and not have the most secure systems on the domain, the servers. With your DC and hypervisor being on the domain, how many times have those been compromised? Do you not update your servers? Do they all have internet access
- To my knowledge they haven't been.
- No. All servers receive Windows updates.
- Yes.
And I agree, this is odd. This, and so many other things, are being fixed one bite at a time.
Set your firewall to drop outbound traffic from servers that don't need Internet access. Point those servers to a local WSUS server for updates. Allow the WSUS server to get out to Internet. You can set local policy and point servers to WSUS, if they aren't domain joined. That way, servers can be updated but lower attack vector as they cannot get online.
