Domaing Joining Windows Servers
-
Wait... so nothing is part of the domain in your environment? Only the domain controller and the Hyper-V host?
-
@coliver said in Domaing Joining Windows Servers:
Wait... so nothing is part of the domain in your environment? Only the domain controller and the Hyper-V host?
The workstations are as is the Sage server / 2nd DC. But correct nothing else is and methinks despite the hesitation, that needs to change.
-
Yes, it should probably change. Central authentication/authorization is one of the key components of Active Directory (or LDAP). You'll be able to work with Group Policies, etc, etc. You will even have a decent password management platform.
I really can't think of a single reason, outside of maybe internet facing servers (and then it's a stretch), that you wouldn't join your servers to the domain.
-
Wow - I've rarely seen someone have so many server not be domain joined.
WSUS wouldn't really help you in your current setup (at least not normally). WSUS is typically applied to devices through GPO. Since those servers are in AD, they don't have GPO. So you could manually put the WSUS info in, and those servers I guess could get managed by WSUS, I've never tried.
The biggest reason to not domain join them in my mind, is personal security, not hacker security. i.e. your domain admins aren't allowed to access the box.
Assuming they are - I'd join them up personally. -
@coliver said in Domaing Joining Windows Servers:
Yes, it should probably change. Central authentication/authorization is one of the key components of Active Directory (or LDAP). You'll be able to work with Group Policies, etc, etc. You will even have a decent password management platform.
I really can't think of a single reason, outside of maybe internet facing servers (and then it's a stretch), that you wouldn't join your servers to the domain.
That's why I linked the question from a year ago on SW. Now that I think about it, if I have good control over the traffic coming into my network from the Internet, it seems the opening of the ports necessary for AD isn't really a problem.
-
@eddiejennings said in Domaing Joining Windows Servers:
@coliver said in Domaing Joining Windows Servers:
Yes, it should probably change. Central authentication/authorization is one of the key components of Active Directory (or LDAP). You'll be able to work with Group Policies, etc, etc. You will even have a decent password management platform.
I really can't think of a single reason, outside of maybe internet facing servers (and then it's a stretch), that you wouldn't join your servers to the domain.
That's why I linked the question from a year ago on SW. Now that I think about it, if I have good control over the traffic coming into my network from the Internet, it seems the opening of the ports necessary for AD isn't really a problem.
I guess I'm not understanding. Why would you open up ports? Your firewall should be closed to all inbound connections and you should approve things as they come up. Is your network wide open?
-
@dashrender said in Domaing Joining Windows Servers:
Wow - I've rarely seen someone have so many server not be domain joined.
WSUS wouldn't really help you in your current setup (at least not normally). WSUS is typically applied to devices through GPO. Since those servers are in AD, they don't have GPO. So you could manually put the WSUS info in, and those servers I guess could get managed by WSUS, I've never tried.
The biggest reason to not domain join them in my mind, is personal security, not hacker security. i.e. your domain admins aren't allowed to access the box.
Assuming they are - I'd join them up personally.Yeah, considering WSUS made me take a step back and ask "Why am I still following the design of [insert predecessor] and keeping these machines off the domain?"
-
@eddiejennings said in Domaing Joining Windows Servers:
Yeah, considering WSUS made me take a step back and ask "Why am I still following the design of [insert predecessor] and keeping these machines off the domain?"
Right, Again there can be reasons to not put them on the domain, but look at all the big deployments - I know you can't really - they do domain join everything they can. Using AD as the central authentication, along with the AD suite is one of the major advantages of the MS ecosystem (of course, nix also has these features/functions). Not domain joining just makes everything an island.
-
@coliver said in Domaing Joining Windows Servers:
@eddiejennings said in Domaing Joining Windows Servers:
@coliver said in Domaing Joining Windows Servers:
Yes, it should probably change. Central authentication/authorization is one of the key components of Active Directory (or LDAP). You'll be able to work with Group Policies, etc, etc. You will even have a decent password management platform.
I really can't think of a single reason, outside of maybe internet facing servers (and then it's a stretch), that you wouldn't join your servers to the domain.
That's why I linked the question from a year ago on SW. Now that I think about it, if I have good control over the traffic coming into my network from the Internet, it seems the opening of the ports necessary for AD isn't really a problem.
I guess I'm not understanding. Why would you open up ports? Your firewall should be closed to all inbound connections and you should approve things as they come up. Is your network wide open?
The opening of ports refers to the servers themselves, not the firewall. A non-domain joined server isn't going to be listening for traffic on X ports that would be open on a server that's part of a domain.
-
@eddiejennings said in Domaing Joining Windows Servers:
@coliver said in Domaing Joining Windows Servers:
@eddiejennings said in Domaing Joining Windows Servers:
@coliver said in Domaing Joining Windows Servers:
Yes, it should probably change. Central authentication/authorization is one of the key components of Active Directory (or LDAP). You'll be able to work with Group Policies, etc, etc. You will even have a decent password management platform.
I really can't think of a single reason, outside of maybe internet facing servers (and then it's a stretch), that you wouldn't join your servers to the domain.
That's why I linked the question from a year ago on SW. Now that I think about it, if I have good control over the traffic coming into my network from the Internet, it seems the opening of the ports necessary for AD isn't really a problem.
I guess I'm not understanding. Why would you open up ports? Your firewall should be closed to all inbound connections and you should approve things as they come up. Is your network wide open?
The opening of ports refers to the servers themselves, not the firewall. A non-domain joined server isn't going to be listening for traffic on X ports that would be open on a server that's part of a domain.
This is true, but these ports are pretty locked down just like port 80 and 443 are locked down. Short of finding a vulnerability, there's not that much to worry about. Of course, don't have open ports just to have open ports either.
-
IIRC, and it's been awhile, but I'm pretty sure that LDAP clients reach out to domain servers. So the only thing that would need additional ports open would be the domain controller, which already has those ports open. The only ones that need to be opened are 389 and maybe 636 if you're doing LDAPS.
-
@coliver said in Domaing Joining Windows Servers:
IIRC, and it's been awhile, but I'm pretty sure that LDAP clients reach out to domain servers. So the only thing that would need additional ports open would be the domain controller, which already has those ports open. The only ones that need to be opened are 389 and maybe 636 if you're doing LDAPS.
Which is further drawing into question my hesitations of the past, and I'd of course not have domain controllers receiving any traffic from the outside world that doesn't travel over some kind of tunnel.
-
@eddiejennings said in Domaing Joining Windows Servers:
So after my fellow MLs gave me pause about WSUS and suggested using GPO for managing patches for my Windows servers...
I'd look at Salt or Ansible for this. Or wait for Sodium, as they plan to do it.
-
No need to domain join Spiceworks. You could just leave that out.
-
@eddiejennings said in Domaing Joining Windows Servers:
@coliver said in Domaing Joining Windows Servers:
@eddiejennings said in Domaing Joining Windows Servers:
@coliver said in Domaing Joining Windows Servers:
Yes, it should probably change. Central authentication/authorization is one of the key components of Active Directory (or LDAP). You'll be able to work with Group Policies, etc, etc. You will even have a decent password management platform.
I really can't think of a single reason, outside of maybe internet facing servers (and then it's a stretch), that you wouldn't join your servers to the domain.
That's why I linked the question from a year ago on SW. Now that I think about it, if I have good control over the traffic coming into my network from the Internet, it seems the opening of the ports necessary for AD isn't really a problem.
I guess I'm not understanding. Why would you open up ports? Your firewall should be closed to all inbound connections and you should approve things as they come up. Is your network wide open?
The opening of ports refers to the servers themselves, not the firewall. A non-domain joined server isn't going to be listening for traffic on X ports that would be open on a server that's part of a domain.
A domain joined one isn't either. AD does not reach out to clients. The clients reach out to the servers, and the servers are already opened up.
-
@coliver said in Domaing Joining Windows Servers:
IIRC, and it's been awhile, but I'm pretty sure that LDAP clients reach out to domain servers. So the only thing that would need additional ports open would be the domain controller, which already has those ports open. The only ones that need to be opened are 389 and maybe 636 if you're doing LDAPS.
Correct, the clients do not "listen" in any way.
-
Seems odd you'd have the least secure systems on the domain, the client computers... and not have the most secure systems on the domain, the servers. With your DC and hypervisor being on the domain, how many times have those been compromised? Do you not update your servers? Do they all have internet access
-
@tim_g said in Domaing Joining Windows Servers:
Seems odd you'd have the least secure systems on the domain, the client computers... and not have the most secure systems on the domain, the servers. With your DC and hypervisor being on the domain, how many times have those been compromised? Do you not update your servers? Do they all have internet access
- To my knowledge they haven't been.
- No. All servers receive Windows updates.
- Yes.
And I agree, this is odd. This, and so many other things, are being fixed one bite at a time.
-
@eddiejennings said in Domaing Joining Windows Servers:
@tim_g said in Domaing Joining Windows Servers:
Seems odd you'd have the least secure systems on the domain, the client computers... and not have the most secure systems on the domain, the servers. With your DC and hypervisor being on the domain, how many times have those been compromised? Do you not update your servers? Do they all have internet access
- To my knowledge they haven't been.
- No. All servers receive Windows updates.
- Yes.
And I agree, this is odd. This, and so many other things, are being fixed one bite at a time.
Set your firewall to drop outbound traffic from servers that don't need Internet access. Point those servers to a local WSUS server for updates. Allow the WSUS server to get out to Internet. You can set local policy and point servers to WSUS, if they aren't domain joined. That way, servers can be updated but lower attack vector as they cannot get online.
