I'm dealing with this precise issue right now, and have added the recommended ports to allow AD machines to login, and verified using the 'firewall hits' and 'client status' views in the admin gui to verify the rules are sufficient. There are two reasons I can think of for not using "allow-all":
1. However remote, there is always the possibility that a domain computer can be compromised and become a threat.
2. I don't like using wide open ACLs for anything beyond admin use. Our campus LAN still uses VMPS for wired ports, which is trivial to spoof, so ensuring per VLAN ACLs are tight is a necessity.
But I also have a question regarding machine auth with IAS: How secure is it? If an attacker can gain knowledge of a valid AD machine name and SID, how difficult is it to spoof the machine auth process? Without an answer to this, I would be *very* cautious about an "allow-all" approach.
An allow-all in the machine auth role would be no worse than you having a computer plugged into your wired network, but not logged in. A device is only in this state, when it is at the ctrl-alt-delete screen. I want to say that nobody knows the SID, because it is completely random and negotiated by the computer with the domain. A user is more likely to compromise a username and password rather than machine credentials that are never revealed. Even if they compromised those credentials, they would still have no rights, because computers do not have any rights to user resources. It is much easier to plug into an open wired port than to exploit.
Your exploit path looks like this:
- Somehow get machine credentials that are completely random and never revealed
- Put them into a consumer device to get on the network
- Your user is now just as good as plugging into a physical port, which is easier
OR:
- Somehow hack into a computer locally
- Local credentials that were used to get into the computer will fail on the domain so the connection will be dropped
- Give up and plug into a wired port
Compromising machine credentials, however unlikely, only gets you access to the LAN. You might be able to access resources that a physical machine can on a domain, but not a user can access on your domain, but it does not elevate you to more than that.
The allow all is only to permit the computer's domain activity so that logging in and getting a login script is not a problem. It keeps you from having to update the the ACLs with different ports and hosts everytime you add a domain controller, or MSFT changes some protocol and it also allows you to update the computer with antivirus, MS patches, etc without necessarily compromising physical security and removing some of the complexity.