To Join the Domain or Not Join the Domain, that is The Question

It never ceases to amaze me when I get into it with “packet filter” guys about domain membership. You know, the “hardware” firewall guys who’ve hijacked your network security in the feckless game of “port control” through DMZs and the Internet. The sorry state of affairs these network security guys manqué puts our network applications (you know, the stuff we’re trying to protect) at serious risk. When I get into application protection discussions with these guys I often think that the inmates are running the asylum.

Here’s the straight dope on domain membership. It’s the preferred configuration and the more secure one. As long as your create an intelligent firewall policy and kept the principle of least privilege on the top of your list, domain membership will make your ISA firewall configuration easier and more secure. It just doesn’t get any better than that. BTW — I’m talking about real domain membership, not the hork where you create a separate forest for the ISA firewall. When you do that, you lose key security advantages.


Advantages of Domain Membership:

Granular user/group access controls for all protocols

Don’t need to create array accounts for intra-array communications

Results in more secure deployment

Full support for user certificate authentication for publishing

Full support for the Firewall client

Full support for Microsoft Operations Manager (MOM)

Full support for Group Policy management

Array admins can log in from any Active Directory managed machine with remote admin permissions

MUCH easier to deploy and maintain


Disadvantages of Domain Membership:

If someone compromises the Active Directory they can own the firewall

However, they’ll own everything else too, with the Firewall being the least of your problems

If the Firewall is owned, the Active Directory may become accessibile

The ISA firewall has never been compromised to the extent of being owned

Attackers don’t try to own firewalls, they try to own services protected by the firewall

Domain Admins can admin the Firewall

If you can’t trust your domain admins, you have bigger problems

Advantages of workgroup membership:

If firewall is compromised, attacker might not be able to get to Active Directory

If an attacker can own the firewall, he’ll be able to access the Active Directory whether or not the firewall is a domain member

Domain admins can’t admin the array

If you don’t trust your domain admins, you have bigger problems than this

If the Active Directory is “owned” the firewall won’t be effected

ISA will be the last man standing, while the entire business has gone up in flames – does it really matter at this point?

Disadvantages of workgroup membership:

Requires server certificate on CSS

Requires CA certificates on array members

Must track certificate status

Must use RADIUS authentication (slow) or RSA SecurID (expensive)

On-box accounts required for intra-array communication and management

No centralized password policy

Could become a security or access issue

Can’t use user certificate authentication for VPN or Web Publishing

No support for VPN user mapping when users connect from non-Windows VPN clients




Thomas W Shinder, M.D.




MVP — ISA Firewalls

Technorati Tags: , , , , , , , ,

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top