Risks from standalone machines



Apoli
07-09-2005, 11:53 PM
Hello all,
i have a Windows 2003 Active Directory infrastructure with a single domain.
Some users don't want to join their machines to the domain. There is also a
linux machine and they all have access to the internet.
I would like to ask if there are any security risks for the domain from the
standalone machines, or if you can suggest some whitepapers that explain why
all machines must be joined to the domain.
Thanks in advanced

Roger Abell
07-09-2005, 11:53 PM
There really is no added risk to your domain per se, that is, by virtue of
it
being a domain and they being not in it. There may however be added risk
to your networked infrastructure, which includes your domain, compared to
the risk-stance that could result from the machines being under a knowing
central configuration control and OS/software/ant-malware updates.

The main risks from the machines being independent vectors in your
environment might come from the domain accounts available to the frequent
users of those machines (no admin rights in the domain, right?) and from
the visibility of your domain to one of those machines should it become
infected or taken-over and used as a probe on your network.

The exact situation depends of circumstances of your network implementation.
It is possible that having such machines inside your firewall is potentially
the same as placing your domain machines directly on the internet -
possible.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Apoli" <Apoli@discussions.microsoft.com> wrote in message
news:B0AD8DAB-28A2-4AC7-B2A6-2807094C5741@microsoft.com...
> Hello all,
> i have a Windows 2003 Active Directory infrastructure with a single
domain.
> Some users don't want to join their machines to the domain. There is also
a
> linux machine and they all have access to the internet.
> I would like to ask if there are any security risks for the domain from
the
> standalone machines, or if you can suggest some whitepapers that explain
why
> all machines must be joined to the domain.
> Thanks in advanced

Lil' Dave
07-09-2005, 11:53 PM
A standalone machine has no access to any network, thus the word
"standalone". The internet is a form of network, therefore, if capable of
connecting to the internet, is not standalone.

"Apoli" <Apoli@discussions.microsoft.com> wrote in message
news:B0AD8DAB-28A2-4AC7-B2A6-2807094C5741@microsoft.com...
> Hello all,
> i have a Windows 2003 Active Directory infrastructure with a single
domain.
> Some users don't want to join their machines to the domain. There is also
a
> linux machine and they all have access to the internet.
> I would like to ask if there are any security risks for the domain from
the
> standalone machines, or if you can suggest some whitepapers that explain
why
> all machines must be joined to the domain.
> Thanks in advanced

Paul Adare
07-09-2005, 11:53 PM
In article <eUX2t7fZFHA.796@TK2MSFTNGP09.phx.gbl>, in the
microsoft.public.security news group, Lil' Dave <spamyourself@virus.net>
says...

> A standalone machine has no access to any network, thus the word
> "standalone". The internet is a form of network, therefore, if capable of
> connecting to the internet, is not standalone.

No, in this case standalone is used to refer to a computer that does not
have an account in Active Directory, not one that does not have a
network connection at all.

>
> "Apoli" <Apoli@discussions.microsoft.com> wrote in message
> news:B0AD8DAB-28A2-4AC7-B2A6-2807094C5741@microsoft.com...
> > Hello all,
> > i have a Windows 2003 Active Directory infrastructure with a single
> domain.
> > Some users don't want to join their machines to the domain. There is also
> a
> > linux machine and they all have access to the internet.
> > I would like to ask if there are any security risks for the domain from
> the
> > standalone machines, or if you can suggest some whitepapers that explain
> why
> > all machines must be joined to the domain.
> > Thanks in advanced
>
>
>

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea

Steven L Umbach
07-09-2005, 11:53 PM
It is interesting that the users have a choice. A domain will allow
consistent management of the computers and users including the ability to
audit domain computer access, enforce a password policy, enforce security
policy, and allow the implementation of ipsec if needed to encrypt sensitive
network traffic. I would certainly prefer that the computers be domain
members assuming there is not a good business reason to leave a computer in
a workgroup such as for isolation from any domain member including domain
administrators due to sensitive nature of data on the computer or user [big
boss, etc]. It is much easier for instance if all the computers are a member
of the domain to make sure they all have Automatic Updates configured to
keep the computers current with critical security updates via Group Policy.
If the users have to be local administrators, the advantage of being joined
to a domain decreases quite a bit as they have to power to reconfigure the
computer anyway or even unjoin it from the domain. --- Steve



"Apoli" <Apoli@discussions.microsoft.com> wrote in message
news:B0AD8DAB-28A2-4AC7-B2A6-2807094C5741@microsoft.com...
> Hello all,
> i have a Windows 2003 Active Directory infrastructure with a single
> domain.
> Some users don't want to join their machines to the domain. There is also
> a
> linux machine and they all have access to the internet.
> I would like to ask if there are any security risks for the domain from
> the
> standalone machines, or if you can suggest some whitepapers that explain
> why
> all machines must be joined to the domain.
> Thanks in advanced

Apoli
07-09-2005, 11:53 PM
You are right Paul.
What i mean as "standalone" machine is that this computer is not a member of
the Active Directory Infrastructure.
Thank you all for your answers.

"Paul Adare" wrote:

> In article <eUX2t7fZFHA.796@TK2MSFTNGP09.phx.gbl>, in the
> microsoft.public.security news group, Lil' Dave <spamyourself@virus.net>
> says...
>
> > A standalone machine has no access to any network, thus the word
> > "standalone". The internet is a form of network, therefore, if capable of
> > connecting to the internet, is not standalone.
>
> No, in this case standalone is used to refer to a computer that does not
> have an account in Active Directory, not one that does not have a
> network connection at all.
>
> >
> > "Apoli" <Apoli@discussions.microsoft.com> wrote in message
> > news:B0AD8DAB-28A2-4AC7-B2A6-2807094C5741@microsoft.com...
> > > Hello all,
> > > i have a Windows 2003 Active Directory infrastructure with a single
> > domain.
> > > Some users don't want to join their machines to the domain. There is also
> > a
> > > linux machine and they all have access to the internet.
> > > I would like to ask if there are any security risks for the domain from
> > the
> > > standalone machines, or if you can suggest some whitepapers that explain
> > why
> > > all machines must be joined to the domain.
> > > Thanks in advanced
> >
> >
> >
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> "The English language, complete with irony, satire, and sarcasm, has
> survived for centuries without smileys. Only the new crop of modern
> computer geeks finds it impossible to detect a joke that is not clearly
> labeled as such."
> Ray Shea
>


Risks from standalone machines