Don't fear the Domain
This month has been packed with Windows servers not wanting to go in the Windows domain. Telephony servers, firewall management. And every time, the reason given is: it's more secure.
This reason is bollocks.
I can see the psychological justification: it feels like you are mixing your security sensitive servers with the common run. There is a sensation of "taint". But every time, it comes down to this: Domain membership lets domain admins do what they want with it.
The simple answer to this is that if you don't trust your domain admins you have your domain management wrong. And, more importantly, if you have more than one admin, the weakening of control caused by the shared user that will be used on the non-domain system substantially outweighs the possibility of a rogue assigning rights improperly. Let's be clear:
Not a Domain Member = Anonymous User IDs
Do you still want to be out of the domain. Really, what's possibly worse or less controlled than a shared user? Nothing!
The real agenda is designer/programmer laziness. If you don't plan to be in the domain, you can say that it doesn't matter if you run as an admin, so you don't have to worry about permissioning, you don't have to engage with Windows management and the whole thing becomes very much more like DOS. Which is of course what all programmers want.
There are still reasons to leave a server out of your production domain.
- Because it is especially exposed to compromise. Servers in the DMZ might fall into this category. This is why we put application proxies of various sorts, in the DMZ, in front of domain member servers which are inside the firewall.
- In theory, because the hardening requirements are incompatible with domain management. But if so, why are you running Windows?
- Because, by design, this is not an area for your administrator team. The only case I've ever seen is retention of administrator access logs, where admin access would rather negate the point.
