Should Windows Web Servers be members of an Active Directory Domain

In terms of security and manageability - What is best practice?

Should web servers

  • Be added to and managed from an Active Directory domain

or

  • Be part of a 'web server' workgroup that is separate from the 'resource server' active directory?

There is no a requirement for there to be user accounts on the web servers, only management accounts (server management, system reporting, content deployment etc.)


If you want to use Kerberos delegation to build a secure infrastructure (and YOU DO) you will need to join those Web servers to the domain. The web server (or service account) will need the ability to delegate assigned to it in order to allow user impersonation against your SQL server.

You proably want to stay away from using SQL-based authentication on the SQL server if you have any auditing or statutory requirements for tracking data access (HIPAA, SOX, etc.) You should be tracking access through your provisioning process (i.e. who is in what groups, how that was approved, and by whom) and all access to data should be through a user's assigned account.

For DMZ issues related to accessing the AD, you can resolve some of that with Server 2008 using a Read-Only DC (RODC) but there is still risk with deploying into the DMZ. There are also some ways to force a DC to use specific ports to punch through a firewall, but this type of cutomization can make it difficult to troublehsoot authentication problems.

If you have specific needs to allow both Internet and Intranet users access to the same application you might need to look into using one of the Federeated Services products, either the Microsoft offering or something like Ping Federated.


Internal use, absolutely. That way they get managed by GPO, patching isn't as difficult, and monitoring can be accomplished without a bunch of workarounds.

In the DMZ, generally I'd advise no, they should not be on the DMZ. If they are on the domain and in the DMZ, the issue that you run into is that the web server must have certain connectivity back to at least one DC. Therefore, if an external attacker compromises the web server, he or she can now directly launch attacks against one of the DCs. Own the DC, own the domain. Own the domain, own the forest.


Why not have a Webserver's Domain in the DMZ?

It could be a separate forest with a one way trust relationship to administer the domain from your main domain without giving any permission to the WS's domain for your main domain.

All the joys of AD/WSUS/GPO - especially useful if you have a whole farm of them - and if it's compromised it's not your main network.


If the webserver is on the same network as the Domain Controller(s), then I would definitely add it to the domain - as this obviously adds a great deal of manageability. However, I would usually strive to put webservers in a DMZ to increase security - which makes access to the domain impossible without pinholes (and that's a very bad idea!)