(1) You don’t know the status of the machine when it hits the network whether its in the domain or not. The risk of being in the domain and being compromised, is the credentials on this machine for domain logins can be harvested and used to attempt to escalate privilege or access other items (Your data) that it wouldn’t have had not being in the domain.
Patches or not, if the box is compromised, then the patches and AV and that stuff isn't going to help too much if there is a rootkit on the machine... (Gather up your IT credentials, send them off, and then use those credentials to gain access up to owning your domain and its data then the game is over....) Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org -----Original Message----- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Wednesday, June 20, 2012 1:32 PM To: NT System Admin Issues Subject: RE: How many in your company can join systems to domain I have thought about this before...so I am going to toss it out there and see how it gets swatted down. If a staff member brings in a home laptop and joins it to the domain is it more of a threat or less of a threat than not being in the domain and just plugged into the network. I ask because here after they reboot they will get all the patches, up to date AV software and no-one except IT Staff will be a local admin. Most won't even be able to get to a command prompt. -----Original Message----- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Wednesday, June 20, 2012 1:17 PM To: NT System Admin Issues Subject: Re: How many in your company can join systems to domain By default yes, unless you turn it off, which, IMHO, is the sane thing to do... On Wed, Jun 20, 2012 at 8:30 AM, Webster <webs...@carlwebster.com> wrote: > I haven't had to deal with this in a long time but IIRC anyone who is > in Domain Users can join up to 10 computers to your domain. > > http://support.microsoft.com/kb/243327 > > > Carl Webster > > Consultant and Citrix Technology Professional > > http://www.CarlWebster.com > > > From: David Lum <david....@nwea.org> > Reply-To: NT Issues <ntsysadmin@lyris.sunbelt-software.com> > Date: Wednesday, June 20, 2012 8:19 AM > To: NT Issues <ntsysadmin@lyris.sunbelt-software.com> > Subject: How many in your company can join systems to domain > > Subject line pretty much says it. We have 600 employees and an IT > staff of 50-ish (including developers) and I swear all 50 can join > systems to the domain. Certainly 10 of them can and that seems like a lot. > > > > Brought up because these guys drive me crazy by loosely following > naming standards, not moving to the appropriate OU, and not putting > descriptions in AD. > > David Lum > Systems Engineer // > NWEATM > Office 503.548.5229//Cell (voice/text) 503.267.9764 > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin