drbd
asked on
Active Directory Domain or Local Workgroup: security the network and the best way to handle sensitive data and file sharing.
Hi,
My question is based on security, the network and the best way to handle sensitive data and file sharing. Should a domain or workgroup be used on these systems?
Our organization has migrated to the windows active directory as an OU. We are still in mixed mode with 2000, nt4 systems however.
These systems collect and run data for analysis. Access to the data on these systems are thru a local share folder on them. This in turn allows the user to access the data on their client-side systems.
Lately, there are concerns on whether the systems that collect data should be joined to the domain or left in a workgroup setting. If joined to the domain a single-sign would be used, if left on the workgroup a seperate set of user and password access would be used. Since we are an OU and thus some control is restricted it is a problem.
If joined to the domain, what are the security risks? if left as a workgroup is this better, from a security hacking perspective. Thus if the active directory where hacked.
I need someway to justify one way or the other to the other network admins. what our options are and the best way to do this. Develope a best practices.
Constructive advice is appreciated,
Thanks,
d.
My question is based on security, the network and the best way to handle sensitive data and file sharing. Should a domain or workgroup be used on these systems?
Our organization has migrated to the windows active directory as an OU. We are still in mixed mode with 2000, nt4 systems however.
These systems collect and run data for analysis. Access to the data on these systems are thru a local share folder on them. This in turn allows the user to access the data on their client-side systems.
Lately, there are concerns on whether the systems that collect data should be joined to the domain or left in a workgroup setting. If joined to the domain a single-sign would be used, if left on the workgroup a seperate set of user and password access would be used. Since we are an OU and thus some control is restricted it is a problem.
If joined to the domain, what are the security risks? if left as a workgroup is this better, from a security hacking perspective. Thus if the active directory where hacked.
I need someway to justify one way or the other to the other network admins. what our options are and the best way to do this. Develope a best practices.
Constructive advice is appreciated,
Thanks,
d.
OU's do nothing but provide a visual cue to the user where things are logically. You need to have groups and assign those users that need access to those files share and NTFS permission to those files. By only entering the groups you want to have access the files when in domain mode, then only those people in the group will be able to modify them. It is better to have the computer on the Active Directory domain because you have greater control over what your users can do and access.
It almost sounds like you guys are new to the Windows 2000 environment and may need to read up on the security features and options that it offers.
In a workgroup and a domain with Windows 2000 as the client computer you can turn on auditing of file access to log successful and unsuccessful attempts to access the files.
It almost sounds like you guys are new to the Windows 2000 environment and may need to read up on the security features and options that it offers.
In a workgroup and a domain with Windows 2000 as the client computer you can turn on auditing of file access to log successful and unsuccessful attempts to access the files.
Honestly, if your admins don't know what is better Workgroup or Domain - then get some better admins.
Domains are always better for security and allow for centralized control of resources.
Domains are always better for security and allow for centralized control of resources.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
However, if the machines that are collecting data are at risk of compromise, then thy might be better off in a workgroup, so the compromise of one of these data collection PC's doesn't also compromise your entire domain.