Maybe Domain Membership Is Passé?
Wouldn't it be great if your Windows devices could be members of more than one domain, or even members of more than one forest?
April 23, 2012
This month, let's talk some more about this "ARM tablets can't join a domain" stuff that we took up last month (see "Domain Join and ARM Tablets: Don't Raise the Bridge, Lower the River"). It's got me thinking: You know, I've always been a monogamous sort of guy, but maybe being part of just one domain is, well, sort of passé. Perhaps I -- and all of you -- should be able to be "polydomaingamists." And yes, I did just make that word up, but think about it: Wouldn't it be great if your Windows devices could be members of more than one domain or even -- brace yourself --- members of more than one forest?
Microsoft started me thinking about this when some MSFT people greeted the question of "Why on earth aren't you guys going to let ARM tablets join a domain?" with the response of "Well, you wouldn't expect your employer to make you join your smartphone or your iPad to their domain, would you?" My initial answer was, "Um, heck yes, if they want to access my secure assets -- nobody's touching my servers until I've locked 'em down with some Group Policies!" I still feel that way but, as with last month, maybe it's a matter of thinking a bit outside the box.
Currently, we have a somewhat decent half-answer in the way that we let small non-Windows devices -- I'm talking about our smartphones -- access our organizational email. You know what I'm talking about: Exchange ActiveSync. Before a phone can connect to an Exchange server, we can require that it pull up its socks a bit security-wise, and when that phone becomes part of our "Exchange client family," we get the ability to brick the thing if someone reports it lost or stolen. Thus, even if Exchange ActiveSync is all we have for ARM tablets, things aren't terrible. But let's take it a step further.
Why do we join domains in the first place? Several reasons. First, as users we get the benefit of domain controllers' ability to authenticate our identities through DCs' knowledge of our user names and passwords. Second, as network administrators we get administrative control over our users' machines -- the Domain Admins group gets stuffed into the domain-joined PC's Administrators group. Third, members of a domain must submit, again, to Group Policies, which let network admins secure systems by requiring things like digitally signed communications, good password policies, and the like. That's all good stuff, but the whole domain joining process brings with it a big limitation: You can only be a member of one domain.
Now, this probably made sense back in 1993, when Windows NT 3.1 and NT domains in general first appeared. (Yes, it was 1993, and if memory serves me right, NT's 20th anniversary will be July 19, 2013, so start planning the parties early.) In those days, pretty much everyone who used a computer "went to work" in the sense that they went to an office, sat down at a desktop computer -- laptops were pretty sketchy affairs in those days -- and logged on to the domain over their wired Ethernet connection, assuming that some nimrod hadn't disconnected their 10base2 "T" connector and brought down their entire segment. Wireless networking didn't exist, so computing wasn't all that mobile, and that mattered because it meant that in order to be on the network, you had to be in the building, which in turn meant that you were inside the perimeter firewall that protected the organization's machines from outside attack, scans, and so on. We had small computing devices, but they were non-networked PDAs whose only connection to the outside world was when they were tethered to our big bulky desktops. None of that was a monstrous problem, though, as most of the organization's employees either didn’t need to use a computer to do their job, or only needed a computer now and then. Even then, the Internet existed but hadn't yet become a gotta-have-it phenomenon. (That wouldn't happen until a couple of years later, in 1995, when all of a sudden everyone discovered the Web and Internet email.)
Of course, the world's different now. Almost everyone needs Internet access to get their jobs done, and if your network still has a "perimeter," I'm fairly sure it's kind of leaky. What hasn't changed is that most folks still need access to their organization's secure data, even if it's now on SharePoint servers instead of file servers. Some sort of centralized authentication is essential, but now those small computing devices -- the PDAs that have become smartphones and tablets -- need that access also. Furthermore, NT domains have gone from being fairly simple affairs to mare's nests of multiple forests, extranet partnerships, and connections to IT resources in the cloud.
Maybe it's time to stop joining domains and to start "establishing domain associations" or the like. More specifically:
Use certificates for authentication, which means it's time for everyone to get a public key infrastructure (PKI) in place. Five years ago, I could ask a large crowd, "How many of you have implemented some sort of public key infrastructure?" and only about 5 percent of the audience had. Nowadays, it's more like 20 percent, but more and more Microsoft tools need or run better with certs, so perhaps it's time to get a bit PKI-smarter. Active Directory Certificate Services makes it a bit easier to roll them out, so give that a look -- heck, even PowerShell's making us learn PKI so we can sign our scripts, for heaven's sake.
Once certs aren't so bad, maybe AD could allow us to create two, three, four, or whatever different kinds of certs that, once installed on a device, allows different levels of access to that domain. Maybe one kind just lets you get your email, and perhaps another lets you connect to the file servers . . . but it also requires that you submit to Group Policy governance. Nope, you're not joining a domain, you're acquiring a "domain association" of some level. One level might look exactly like a modern domain membership, but could, again, be activated simply by installing the cert -- heck, you might not even have to reboot afterward.
Such associations would probably have to be able to very finely restrict what you could do within their organization's boundaries, because many people would have associations with more than one domain. I mean, think about it -- if organizations eventually come to trust cloud vendors who might be hosting competing organizations on the same physical host, mightn't future client OSs simplify contractors being able to connect to many different organizations from one device without making the hair of those organization's security folks fall out?
Another way to think of this is sort of like "DirectAccess, but a dating rather than a marrying mode." Down with domain membership, up with domain association, I say! Now all I've got to do is find that book I've got somewhere that makes running certificate infrastructures easy . . . .
About the Author
You May Also Like