Monday, October 8, 2018

Securing Traditional Domain Joins

Hello Everyone!

My bread and butter are EMS deployments and some general O365 security talks. 

A lot of my customers really like the option to limit logins to certain cloud services to only Hybrid Joined machines using Conditional Access. 

For those unaware, at a high level, the Hybrid Join process will automatically join a domain joined Windows 10 machine into Azure AD. 

When I help people with setting this up I always check to see if they have modified who is allowed to join a computer to the domain. At the time of this writing (Server 2016) the default is that any authenticaed user can join up to 10 devices to the domain.

Thats right folks, by default you do not have to be a domain admin to join a machine to your domain. Above the obvious issues like clutter in AD, duplicate objects, SID issues, etc there is also the issue that the person who joins the object to the domain becomes the owner of that object in AD and can see some sensetive attributes.

Anyways, in our case this almost invalidates the reason most companies want to do Hybrid Join, which is to prevent personal machines from accessing corporate cloud resources. If the user brings thier laptop in though and decides to join it to the local domain then were back at square one. 

The easiest way to fix this is with a GPO on your domain controllers.

The GPO is located at Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments > Add Workstation to Domain




Once you find the GPO you can add whatever group you would like to keep it locked down.




Just a little tidbit that some people dont realize! I think were all so used to only having an admin join a machine this can slip through the cracks.

Until next time, have a good one.