2

We have a number of workstations that will live out at remote locations where we won't necessarily have good physical security. We need to make sure that we have complete access to these machines (via remote desktop, group policy, IPMI/remote KVM, etc) so we will be utilizing hardware VPNs at each of the locations. Because we're using a hardware VPN, that means conceivably someone could plug into the port on the VPN, but they would need to have knowledge of our network infrastructure, username/passwords, etc, and we will also be blocking all inbound traffic back to our office at the firewall except for Active Directory traffic.

So, that brought up the issue, what kind of domain controller to use? At first I set up a read-only domain controller that is a member of our primary domain, but even that made us feel uncomfortable. Plus, it has it's own set of pains associated with it, so now I'm considering other options before we really begin using the system (it's still in development).

I'm thinking I'll either set up a child domain or go the route of an entirely separate domain. I would still need to set up trust relationships between the domains, though, as I want my office users to be able to easily manage the remote computers in the field, but it's purely for management purposes and the connection can be severed at any time while still leaving the field computers fully operational. Yes, I could have no trusts at all, but I would like to manage most of the user resources from one domain if possible. The key here is that we have the ability remotely manage and access these computers without allowing them to compromise our office network security.

Is there a better way to do this? What have others done in situations like this? Thanks!

Mike
  • 379
  • 2
  • 3
  • 14

1 Answers1

1

It's all going to come down to a tradeoff of security for the convenience of being able to use one set of admin credentials from your primary domain. My recommendation is do not set up a new domain and trust, because this is only going to give you a false sense of security. Don't even deploy a domain controller to the location. Don't over engineer it. You will end up having more work than is necessary for very little gain security-wise. Use the VPN to allow the clients to authenticate against the office DCs. Lock down their network access at your firewall to limit them only to the IPs, ports, and protocols required for their purpose. Enable credential caching on the clients so the user can still log in when the network drops. Enable BitLocker drive encryption on the clients to mitigate offline disk access. Use the Microsoft LAPS solution to ensure local admin passwords are unique and backed up to Active Directory. Most importantly, never log into the clients with a domain account having administrative access to any of the other computers on your network. Apply a group policy to deny your domain admin accounts network and interactive logon to these systems to ensure it never happens. Better yet, use the LAPS account for all remote administration of these. That way, if one gets compromised, they are limited to that system and any accounts that are still in memory. Let me know if you have any questions or concerns about these suggestions. Convenience/usability and security are always going to be at odds with eachother. The key is finding the sweet spot where it's secure and also usable, but not always convenient, unfortunately.

twconnell
  • 902
  • 5
  • 13