SekChek for Windows: Planning Your Analysis - Domains & Standalone Computers

SekChek

previous page next page

Domains & Standalone Computers

General:

Typically, Windows NT and Windows 200X computers (servers and workstations) are either free standing, within a workgroup, or are members of a domain.

A workgroup is a collection of Computers that are grouped together for the purpose of sharing resources. Each workgroup is identified by a unique name. Each computer in the workgroup has its own set of user accounts and groups that are independent of accounts defined on other computers. Workgroups do not have a centralised security database.

Windows NT:

In Windows NT, a domain is a collection of computers defined by the administrator of a Windows NT Server network that share a common directory/security database. A domain provides access to the centralized user accounts and group accounts maintained by the domain administrator. Each domain has a unique name.

Domain user accounts are defined on the Primary Domain Controller (PDC). Each account includes basic security information about the user and details of the account’s group memberships etc. Although many security settings can be overridden at the user account level, accounts generally inherit security policy information (domain-wide security parameters) defined at the PDC level.

In addition to this central database of user accounts and groups for the domain, each server or workstation has its own local accounts database and groups. These are managed locally on each server or workstation.

One of the obvious considerations is that server and workstation security is dependent on a combination of security controls defined at the domain controller level and local security definitions.


Windows 2000/2003/2008

In Windows 2000/2003/2008, a domain is a collection of computers defined by the administrator of a Windows 2000/2003/2008 Server network that shares a common directory database (Active Directory).

Domain user accounts are defined on the Domain Controller(s) (DC). Each account includes security information about the user and details of the account’s group memberships etc. Although many security settings can be overridden at the user account level, accounts generally inherit security policy information (domain-wide security parameters) defined at the DC level.

A domain provides access to the centralized user accounts and group accounts maintained by the domain administrator. Each domain defines both an administrative boundary and a security boundary for a collection of objects that are relevant to a specific group of users on a network.

A domain is an administrative boundary because administrative privileges do not extend to other domains. It is a security boundary because each domain has a security policy that extends to all accounts within the domain.

Domains can be organized into parent-child relationships to form a hierarchy, which is called a domain tree. The domains that are part of a domain tree implicitly trust each other. Multiple domain trees can be connected together into a forest. All trees in a given forest trust each other via transitive hierarchical trust relationships.

In addition to the central database of user accounts and groups for the domain, each server or workstation has its own local accounts database and groups. These are managed locally on each server or workstation.

previous page start next page