Advantages of Domain Membership:
Granular user/group access controls for all protocols
Don’t need to create array accounts for intra-array communications
Results in more secure deployment
Full support for user certificate authentication for publishing
Full support for the Firewall client
Full support for Microsoft Operations Manager (MOM)
Full support for Group Policy management
Array admins can log in from any Active Directory managed machine with remote admin permissions
MUCH easier to deploy and maintain
Disadvantages of Domain Membership:
If someone compromises the Active Directory they can own the firewall
However, they’ll own everything else too, with the Firewall being the least of your problems
If the Firewall is owned, the Active Directory may become accessibile
The ISA firewall has never been compromised to the extent of being owned
Attackers don’t try to own firewalls, they try to own services protected by the firewall
Domain Admins can admin the Firewall
If you can’t trust your domain admins, you have bigger problems
Advantages of workgroup membership:
If firewall is compromised, attacker might not be able to get to Active Directory
If an attacker can own the firewall, he’ll be able to access the Active Directory whether or not the firewall is a domain member
Domain admins can’t admin the array
If you don’t trust your domain admins, you have bigger problems than this
If the Active Directory is “owned” the firewall won’t be effected
ISA will be the last man standing, while the entire business has gone up in flames – does it really matter at this point?
Disadvantages of workgroup membership:
Requires server certificate on CSS
Requires CA certificates on array members
Must track certificate status
Must use RADIUS authentication (slow) or RSA SecurID (expensive)
On-box accounts required for intra-array communication and management
No centralized password policy
Could become a security or access issue
Can’t use user certificate authentication for VPN or Web Publishing
No support for VPN user mapping when users connect from non-Windows VPN clients
ONLY ONE CSS SUPPORTED IN A WORKGROUP!
HTH,
Tom
Thomas W Shinder, M.D.
Debunking the Myth that the ISA Firewall Should Not be a Domain Member
Deb Shinder Blog