sunhux
asked on
To join or not to join AD: considerations & best practice
What's the best cyber practice for Windows servers in DMZ: to be member of
AD/domain or to be non-member?
SWIFT & a couple consultants recommended that standalone is deemed more
secure (can't recall the reason)& even recommended dedicated AD for the few
critical servers. Audit recommended us for such standalone servers to use 2FA
(with OTP) for users who need to access the local Windows account of these
standalone servers as hard to enforce various local password policies (which
sysadmins could bypass).
In terms of enforcing hardenings/compliances (like in our case, we block
browsers from being used to access Internet from servers as well as CIS
hardenings), I felt joining domain or controlled by GPO is better.
Q1:
Was told by Wintel admins that WSUS can't push patches to non-members
of AD. Is this correct?
Q2:
So to join AD or don't join? Which of the 2 is best practice? In our case,
we can't afford to have one pair of DC/AD server in DMZ & another pair
in the internal zone.
Q3:
What are the considerations for & against besides what I've listed above?
Was told that PAM solution like CyberArk will require to join member: is
it just simply for single-signon?
Q4:
Previous wintel admin ever told me that to enable Windows clustering,
both cluster members must be members of same domain: this is once
consideration though for taking backups & AV, standalone servers are
well-supported by the various backup (Veeam) & AV solutions.
AD/domain or to be non-member?
SWIFT & a couple consultants recommended that standalone is deemed more
secure (can't recall the reason)& even recommended dedicated AD for the few
critical servers. Audit recommended us for such standalone servers to use 2FA
(with OTP) for users who need to access the local Windows account of these
standalone servers as hard to enforce various local password policies (which
sysadmins could bypass).
In terms of enforcing hardenings/compliances (like in our case, we block
browsers from being used to access Internet from servers as well as CIS
hardenings), I felt joining domain or controlled by GPO is better.
Q1:
Was told by Wintel admins that WSUS can't push patches to non-members
of AD. Is this correct?
Q2:
So to join AD or don't join? Which of the 2 is best practice? In our case,
we can't afford to have one pair of DC/AD server in DMZ & another pair
in the internal zone.
Q3:
What are the considerations for & against besides what I've listed above?
Was told that PAM solution like CyberArk will require to join member: is
it just simply for single-signon?
Q4:
Previous wintel admin ever told me that to enable Windows clustering,
both cluster members must be members of same domain: this is once
consideration though for taking backups & AV, standalone servers are
well-supported by the various backup (Veeam) & AV solutions.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
> ... separate OU with very restricted policy
Can elaborate what to set in the restricted policy?
Can elaborate what to set in the restricted policy?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The above sounds good, offering a solution that addresses both in that we can
enforce the hardenings on the DMZ servers as well.
We have SMTP servers, web (IIS, Apache, Tomcat) servers, SMS/messaging appliances,
ClamAV signature mirror, webapp (Weblogic) in the DMZ