Announcement

Collapse
No announcement yet.

Risks of allowing users to join computers to domain

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Risks of allowing users to join computers to domain

    I think I will ask to get this split off as another topic as I am interested in what the risks of allowing users to add machines to a domain?
    On the positive side of things, it would mean the group policy would affect it, domain admins would gain control of it, av policies could apply etc?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

  • #2
    Re: Risks of allowing users to join computers to domain

    Split as requested. Depending on the direction the thread takes, I may move it to Misc later.

    From a discussion at a training course a long time ago (Windows 2000 days), the general opinion was that there is little risk as the PC would come under the scope of domain policies, restricted groups etc as soon as it is joined.

    The other side is that any malware already on it would sneak into the domain "under the radar"
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Risks of allowing users to join computers to domain

      The other "risk" is that there will be local user accounts, at least one of which will be a local admin (in XP) and so able to install other apps. Of course, if you already have Domain Users in the Local Admins group (quite common, particularly for companies that run bespoke apps that need access to obscure registry keys and things) then this is unlikely to be an issue. The Local Accounts can be managed by Domain Admins as well, so you can remove any offending entries.

      Principle of least privelege says it's bad, principle of actually allowing users to do their jobs and keep your own sanity says it has to be done sometimes.
      BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
      sigpic
      Cruachan's Blog

      Comment


      • #4
        Re: Risks of allowing users to join computers to domain

        The main question though is, are these company machines or personal machines?

        If they're company machines, then there is much less of a security issue. But then, why is the domain admin not adding the machine to the network?

        If they're personal machines, then do we actually want them on our networks? There are a number of potential minefields:

        • malware on machines not protected by any security products, or "proteected" by out of date, misconfigured or plain incompetant products (mentioning no brandnames
        • licencing - it is the policy of our organisation that we are to own all licences for any software used for company business. For us, this would mean taking somebody's laptop and installing our own image over the top. It is virtually impossible to tell if the software installed on somebody's computer is legal or not. Illegal software brings with it the risk of malware-infested activation cracks etc

        This is by no means an exhaustive list, however for me this is easily enough to justify barring users from joining machines onto the domain.
        Gareth Howells

        BSc (Hons), MBCS, MCP, MCDST, ICCE

        Any advice is given in good faith and without warranty.

        Please give reputation points if somebody has helped you.

        "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

        "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

        Comment


        • #5
          Re: Risks of allowing users to join computers to domain

          Malware can infect your network regardless of whether or not the machine is joined to the domain. As long as it's connected to the physical network there's a risk of it spreading an infection. My concern would be how to restrict machines from connecting to the network rather than what the risks of them joining the domain are. I'd be looking for some type of Network Access Protection mechanism.

          Comment


          • #6
            Re: Risks of allowing users to join computers to domain

            The risk for me is not really on the security side but mostly on the organizational side.

            After a while, you will get hundreds of computers with names that do not follow the proper naming conventions, are not in the proper OUs, etc.
            VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

            Comment


            • #7
              Re: Risks of allowing users to join computers to domain

              Originally posted by joeqwerty View Post
              Malware can infect your network regardless of whether or not the machine is joined to the domain. As long as it's connected to the physical network there's a risk of it spreading an infection. My concern would be how to restrict machines from connecting to the network rather than what the risks of them joining the domain are. I'd be looking for some type of Network Access Protection mechanism.
              Indeed, any machine connected to the network can bring the network down. But if the machine is a member of the domain, then it becomes a "trusted" machine and certainly to me, a compromised domain member is a much greater threat than a compromised device which is not a domain member.

              Unfortunately, given the nature of ethernet, DHCP etc, it is very difficult to secure a network if somebody is able to connect in to it. Wired networks are inherantly more secure than wireless in theory because you need to gain physical access. If you work in the building though, then you already have access. It is possible to restrict a DHCP server to only hand out IP addresses to known hosts, but this is not standard behaviour and it is easy enough to assign a static IP instead.

              If you are going to consider allowing users to connect their own machines onto your network, then I would hope that you have looked into the security risks associated with this - 802.1X is a start, as is creating a separate VLAN. There is also the option of "network protection systems" such as Braadford Campus Manager.

              Originally posted by gepeto View Post
              The risk for me is not really on the security side but mostly on the organizational side.

              After a while, you will get hundreds of computers with names that do not follow the proper naming conventions, are not in the proper OUs, etc.
              Another valid issue. If I add a machine to the domain but do not move it into an OU, it remains in the Computers container which cannot have any GPOs applied to it other than domain level GPOs. Usually therefore this means that only the default domain policy will apply, when I would want a number of OU-specific policies to apply to that machine. And it's not especially helpful when machines don't follow the naming conventions either.
              Last edited by gforceindustries; 28th October 2008, 13:58.
              Gareth Howells

              BSc (Hons), MBCS, MCP, MCDST, ICCE

              Any advice is given in good faith and without warranty.

              Please give reputation points if somebody has helped you.

              "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

              "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

              Comment


              • #8
                Re: Risks of allowing users to join computers to domain

                You can change the default location for these accounts to be created in, we have a specific locked down OU for this purpose.

                Users may bring in machines without telling anyone so there is always the threat of them being around. With them adding them to the domain there is more chance of control?

                I'm enjoying this thread, discussions are great to find out both sides of arguments.
                cheers
                Andy

                Please read this before you post:


                Quis custodiet ipsos custodes?

                Comment


                • #9
                  Re: Risks of allowing users to join computers to domain

                  Originally posted by AndyJG247 View Post
                  Users may bring in machines without telling anyone so there is always the threat of them being around.
                  This is true, and is one of the many battles that can't be fought with technical weapons. This is where we bring in...



                  a Policy document



                  Anyone else feel a chill when they read that?
                  Gareth Howells

                  BSc (Hons), MBCS, MCP, MCDST, ICCE

                  Any advice is given in good faith and without warranty.

                  Please give reputation points if somebody has helped you.

                  "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                  "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                  Comment


                  • #10
                    Re: Risks of allowing users to join computers to domain

                    I feel dirty, please delete your post

                    There are quarantine possibilities for blocking unknowns.

                    I suppose I as coming from the angle of "if they do come into the network then users adding them would be better than them not" but I may be missing an important point or two.
                    cheers
                    Andy

                    Please read this before you post:


                    Quis custodiet ipsos custodes?

                    Comment


                    • #11
                      Re: Risks of allowing users to join computers to domain

                      In the end, why would a user need to join the domain? Wouldn't his PC already be on it if he needed it?

                      It'll get full of people who connected with their home machine to the VPN and thought it was a good idea, or people who formatted their XP Pro to install a w4rez copy of Vista ultimate and need to rejoin the network.

                      IMO the people who can join machines should be:

                      Your desktop support and imaging teams in a "workstation" OU
                      Your domain admins for servers in the other OUs

                      I usually don't even grant sysadmins the right to join machines - just the right to write properties and reset the password so they can disjoin and rejoin an existing one. New servers need to be added by the AD team to ensure proper GPOs are applied from the start with the correct user right assignments from the beginning.
                      VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

                      Comment

                      Working...
                      X