• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 560
  • Last Modified:

Active Directory Domain or Local Workgroup: security the network and the best way to handle sensitive data and file sharing.

My question is based on security, the network and the best way to handle sensitive data and file sharing. Should a domain or workgroup be used on these systems?

Our organization has migrated to the windows active directory as an OU. We are still in mixed mode with 2000, nt4 systems however.

These systems collect and run data for analysis. Access to the data on these systems are thru a local share folder on them. This in turn allows the user to access the data on their client-side systems.

Lately, there are concerns on whether the systems that collect data should be joined to the domain or left in a workgroup setting. If joined to the domain a single-sign would be used, if left on the workgroup a seperate set of user and password access would be used. Since we are an OU and thus some control is restricted it is a problem.

If joined to the domain, what are the security risks? if left as a workgroup is this better, from a security hacking perspective. Thus if the active directory where hacked.

I need someway to justify one way or the other to the other network admins. what our options are and the best way to do this. Develope a best practices.

Constructive advice is appreciated,

  • 2
1 Solution
Generally speaking, domain membership improves security, since you don't need to manage accounts and policies on each machine individually.

However, if the machines that are collecting data are at risk of compromise, then thy might be better off in a workgroup, so the compromise of one of these data collection PC's doesn't also compromise your entire domain.
OU's do nothing but provide a visual cue to the user where things are logically. You need to have groups and assign those users that need access to those files share and NTFS permission to those files. By only entering the groups you want to have access the files when in domain mode, then only those people in the group will be able to modify them.  It is better to have the computer on the Active Directory domain because you have greater control over what your users can do and access.

It almost sounds like you guys are new to the Windows 2000 environment and may need to read up on the security features and options that it offers.

In a workgroup and a domain with Windows 2000 as the client computer you can turn on auditing of file access to log successful and unsuccessful attempts to access the files.
Honestly, if your admins don't know what is better Workgroup or Domain - then get some better admins.

Domains are always better for security and allow for centralized control of resources.
Okay, now I have more time for actual "constructive advice".  Let's try this one at a time:

First - any real hacker can get into your system regardless of domain/workgroup issue.  You will still need to make sure certain precautions are in place (e.g. good firewall setup properly, complex passwords).

Second, your local shares can still be used in domain mode.  You will need to give the proper domain users the correct rights to the shares.

Like Joeisanerd said, OUs are just "containers" in the domain - more for ease of organization (e.g. Finance Dept, IT Dept, HR)  You can put just about anything in an OU - servers, computers, groups, users, etc.  The admins can give "control" of an OU to a person or group too.  But let's not complicate this anymore than we have to right now.  

Security risks of a domain... the same risks, if not less, than that of a workgroup.  If a hacker has cracked someone's password, then you still have some serious security holes.  There are other advanced things that can be done on the OU to help avoid hackers (security templates that can be enforced on the OU's computers for starters, and several other things).

The real problem here isn't security of domain/workgroup, but convenience in controlling the resources within your Windows network.  I really would think that the admins would want to go to a domain to make life easier for them.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now