Active Directory Domain or Local Workgroup: security the network and the best way to handle sensitive data and file sharing.

Posted on 2003-03-12
Medium Priority
Last Modified: 2013-12-04
My question is based on security, the network and the best way to handle sensitive data and file sharing. Should a domain or workgroup be used on these systems?

Our organization has migrated to the windows active directory as an OU. We are still in mixed mode with 2000, nt4 systems however.

These systems collect and run data for analysis. Access to the data on these systems are thru a local share folder on them. This in turn allows the user to access the data on their client-side systems.

Lately, there are concerns on whether the systems that collect data should be joined to the domain or left in a workgroup setting. If joined to the domain a single-sign would be used, if left on the workgroup a seperate set of user and password access would be used. Since we are an OU and thus some control is restricted it is a problem.

If joined to the domain, what are the security risks? if left as a workgroup is this better, from a security hacking perspective. Thus if the active directory where hacked.

I need someway to justify one way or the other to the other network admins. what our options are and the best way to do this. Develope a best practices.

Constructive advice is appreciated,

Question by:drbd
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Expert Comment

ID: 8122814
Generally speaking, domain membership improves security, since you don't need to manage accounts and policies on each machine individually.

However, if the machines that are collecting data are at risk of compromise, then thy might be better off in a workgroup, so the compromise of one of these data collection PC's doesn't also compromise your entire domain.

Expert Comment

ID: 8125336
OU's do nothing but provide a visual cue to the user where things are logically. You need to have groups and assign those users that need access to those files share and NTFS permission to those files. By only entering the groups you want to have access the files when in domain mode, then only those people in the group will be able to modify them.  It is better to have the computer on the Active Directory domain because you have greater control over what your users can do and access.

It almost sounds like you guys are new to the Windows 2000 environment and may need to read up on the security features and options that it offers.

In a workgroup and a domain with Windows 2000 as the client computer you can turn on auditing of file access to log successful and unsuccessful attempts to access the files.

Expert Comment

ID: 8132170
Honestly, if your admins don't know what is better Workgroup or Domain - then get some better admins.

Domains are always better for security and allow for centralized control of resources.

Accepted Solution

aftershoq earned 225 total points
ID: 8132570
Okay, now I have more time for actual "constructive advice".  Let's try this one at a time:

First - any real hacker can get into your system regardless of domain/workgroup issue.  You will still need to make sure certain precautions are in place (e.g. good firewall setup properly, complex passwords).

Second, your local shares can still be used in domain mode.  You will need to give the proper domain users the correct rights to the shares.

Like Joeisanerd said, OUs are just "containers" in the domain - more for ease of organization (e.g. Finance Dept, IT Dept, HR)  You can put just about anything in an OU - servers, computers, groups, users, etc.  The admins can give "control" of an OU to a person or group too.  But let's not complicate this anymore than we have to right now.  

Security risks of a domain... the same risks, if not less, than that of a workgroup.  If a hacker has cracked someone's password, then you still have some serious security holes.  There are other advanced things that can be done on the OU to help avoid hackers (security templates that can be enforced on the OU's computers for starters, and several other things).

The real problem here isn't security of domain/workgroup, but convenience in controlling the resources within your Windows network.  I really would think that the admins would want to go to a domain to make life easier for them.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses
Course of the Month13 days, 6 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question