Nt1330 Unit 1 Case Study
Part of managing a Windows Server 2003 network environment requires an administrator to be familiar with both of the different security models that can be implemented along with the roles that a server can hold. The two different security models used in Windows network environments are the workgroup model and the domain model. Please discuss in 500-600 words both options and explain why you would choose one over the other for your implementation.
When configuring windows networking, two major approaches are valid to secure all the network resources, the workgroup approach and the Domain approach. The workgroup approach is simply to create a windows peer-to-peer network with a decentralized security system. This workgroup security approach …show more content…
does not require a special server with an acceptable amount of hardware or the knowledge associated with the administration and maintenance of an advance server environment. On the other hand a windows network at the enterprise level would be too difficult to install and maintain by using the workgroup security model. Not only would be difficult or nearly impossible but it would lack the tight security that this type of systems required. In this case a Domain approach is the ideal solution for controlling and managing all the network resources.
Independent Windows workgroups are "collections of machines configured to advertise themselves as belonging loosely to a workgroup or group of machines" with a common name. In workgroups there is not centralized management of objects such as user accounts, machines and printers. Management of resources is maintained by a database residing in each machine. Sharing of resources and access control to printers and files is done in a peer-to-peer fashion. This security model is the default of any windows operating systems where the workgroup name is "Workgroup."
Setting up an Independent Windows Workgroup is very simple; each member computer will have the same workgroup name and will have different computer names to be identified in the workgroup. Machines that are members of the same Windows workgroup will be able to browse each other under the network neighborhood.
I would choose this implementation for a small network that contains no more than 15 to 20 computers at most and where security is not a high priority concern.
Some advantages of using this type of scenario include the ability to manage windows workgroup since has a small number of computers that can be managed individually. Application servers, services or workstation software can be run off one or few machines rather than employing extensive active directory schema changes to be accomplished in a domain model. Complying with third party vendors' software and hardware can be achieved in a simple manner and migrating or installing new operating systems is an easy task that it would not be an option in a Windows Active Directory domain.
This simplicity comes to a price since by deploying a windows workgroup, other functionality and advantages of a Domain model is lost or not applicable and security can be compromised. For example, when deploying a patch or fix, each workstation has to be configured individually. Another example is that installing a new application in each computer requires the installation and configuration of each machine. Furthermore, in this model when user connect via VPN if they transmit copies of their files unencrypted, the security of the network and information is
compromised.
A domain model is adequate in an enterprise or any big-scale environment where managing a higher number of clients becomes an overwhelming task if possible at all. An Active Directory domain model of security takes advantage of central management where there is a seamless integration of resource management and security. Some of the advantages of an Active Directory Domain are the single-sign-on feature that allows the maintenance of all user accounts and passwords in a central database. Another advantage is when having complex security needs, a very fine control who has access to what and what happens after a user has logged-in including the access level that the user has of its own machine if desired. This control is necessary in large organization and even in small networks where you want to prevent users or visitors from making changes to the systems. All the security tasks would become the responsibility of the system administrator and as policies can be applied to groups of users so the administration doesn't have to be burdensome.
In addition, a domain controller with the use of Active Directory allows for a more granulated and more centralized point for software distribution.
Some additional security features of an Active Directory domain includes ACL inheritance, atomic (or special) permissions, extended right sets or sets of many attributes and changes to the default behavior and rights given to common administrative accounts in other systems. Furthermore, the tools used to perform administration are all completely new when compared to NT4 SAM security or Windows workgroups. In many cases these tools hide critical information from the administrators for their own benefit.
When configuring windows networking, two major approaches are valid to secure all the network resources, the workgroup approach and the Domain approach. The workgroup approach is simply to create a windows peer-to-peer network with a decentralized security system. This workgroup security approach …show more content…
does not require a special server with an acceptable amount of hardware or the knowledge associated with the administration and maintenance of an advance server environment. On the other hand a windows network at the enterprise level would be too difficult to install and maintain by using the workgroup security model. Not only would be difficult or nearly impossible but it would lack the tight security that this type of systems required. In this case a Domain approach is the ideal solution for controlling and managing all the network resources.
Independent Windows workgroups are "collections of machines configured to advertise themselves as belonging loosely to a workgroup or group of machines" with a common name. In workgroups there is not centralized management of objects such as user accounts, machines and printers. Management of resources is maintained by a database residing in each machine. Sharing of resources and access control to printers and files is done in a peer-to-peer fashion. This security model is the default of any windows operating systems where the workgroup name is "Workgroup."
Setting up an Independent Windows Workgroup is very simple; each member computer will have the same workgroup name and will have different computer names to be identified in the workgroup. Machines that are members of the same Windows workgroup will be able to browse each other under the network neighborhood.
I would choose this implementation for a small network that contains no more than 15 to 20 computers at most and where security is not a high priority concern.
Some advantages of using this type of scenario include the ability to manage windows workgroup since has a small number of computers that can be managed individually. Application servers, services or workstation software can be run off one or few machines rather than employing extensive active directory schema changes to be accomplished in a domain model. Complying with third party vendors' software and hardware can be achieved in a simple manner and migrating or installing new operating systems is an easy task that it would not be an option in a Windows Active Directory domain.
This simplicity comes to a price since by deploying a windows workgroup, other functionality and advantages of a Domain model is lost or not applicable and security can be compromised. For example, when deploying a patch or fix, each workstation has to be configured individually. Another example is that installing a new application in each computer requires the installation and configuration of each machine. Furthermore, in this model when user connect via VPN if they transmit copies of their files unencrypted, the security of the network and information is
compromised.
A domain model is adequate in an enterprise or any big-scale environment where managing a higher number of clients becomes an overwhelming task if possible at all. An Active Directory domain model of security takes advantage of central management where there is a seamless integration of resource management and security. Some of the advantages of an Active Directory Domain are the single-sign-on feature that allows the maintenance of all user accounts and passwords in a central database. Another advantage is when having complex security needs, a very fine control who has access to what and what happens after a user has logged-in including the access level that the user has of its own machine if desired. This control is necessary in large organization and even in small networks where you want to prevent users or visitors from making changes to the systems. All the security tasks would become the responsibility of the system administrator and as policies can be applied to groups of users so the administration doesn't have to be burdensome.
In addition, a domain controller with the use of Active Directory allows for a more granulated and more centralized point for software distribution.
Some additional security features of an Active Directory domain includes ACL inheritance, atomic (or special) permissions, extended right sets or sets of many attributes and changes to the default behavior and rights given to common administrative accounts in other systems. Furthermore, the tools used to perform administration are all completely new when compared to NT4 SAM security or Windows workgroups. In many cases these tools hide critical information from the administrators for their own benefit.