Windows Domain Structure - Coursework Example

?Windows Domain Structure Introduction The report aims at discussing about the Windows domain structure, its security issues, risks, practical implementation and an enumeration of the best practices followed in securing a Windows domain structure. Windows Domain Windows domain is generally known as a set of computers that are interconnected. This connectivity is established as they share a common database. The common database includes an account object which controls the internal database. This account object resides in the domain container. The role of domain depends on the situation in which it is used. If it is used to store an account object, it is known as the domain container. In certain cases it is used to indicate the Windows structure by means of the concerned directory. (Schmidt 2008) The domain structure has gone through various changes and the environment and structure of Windows has changed when compared to the past. The domain structure depends on the operating system and hence the domain structure must be modified each time the operating system is changed. Windows domain is completely different from that of other operating systems. Initially domains had the ability to store the user accounts pertaining to a company. But this often led to problems related to data access, since the company in a different city was deprived of its chances to access the required data. (Tiensivu 2008) In this stage, Microsoft altered the usage of domains by introducing domain trusts that helped in the easy access of data. The domain trusts help the employees to access the data only if they are directed form a trusted domain source. In this case, the domain which allows the access is known as trusting domain. In the initial stages of development, domains were individual components that were isolated from each other. The changes in the Windows environment changed the entire structure of domain and created a separate structure for these domains. The Windows NT domain structure is completely different from that of Windows 2000, 2003 or 2008. (Posev 2007) The use of domains does not end with database account management; instead they are also used for resource management. The domain structure includes domain controllers and domain name spaces. Domain names are initialized by the Domain Name Servers (DNS) which acts as an intermediary between the systems in a network. The use of domains and their structure varies according to the operating system. (Comer 2006) Domain Structure The domain structure is composed of several domains where they are considered in a hierarchical pattern. The domains are grouped into a single tree with a root domain. Even a single domain can be made into a tree by including the sub domains from other systems. If the numbers of domains are more, then they are treated as a forest where the first domain is known as forest root. The domain trusts also form a part of the domain structure. In simple terms domain trusts are described as the relationship between two different domains. (McNab 2007) The trust relationship might be either one way where one domain permits the users to access another domain, or two ways where users have the accessibility to both the domains involved in the trust relationship. Role of Domain Structure Windows 2008 allows both one way and two way trust relationship between the domains. In this way it is advantageous, since the users can have an access to both the databases. Cross link, transitive and explicit are the other types of trust relationships that can be established between the domains. The next important aspect of domain structure is the domain controller. The domain member of a tree can be made as a domain controller by specifying certain commands. This domain controller manages the other domains in the system. It ensures that the domains perform their operations in a proper manner. (McClure 2009) Windows operating system uses Primary Data Controller(PDC) (McNab, 2007) which controls the entire operations of the domains included in the system structure. Windows can be structured and operated in native or mixed mode. Native mode used Active Directory and this interconnects with the Windows 2000/2003 or 2008. In this case the PDC is responsible for mitigating between the domains. Mixed mode is generally used to work with domains in Windows NT environment and it interfaces only with the NT operating system. Once a system is implemented on a native mode, it cannot be changed to the mixed mode. Due to this reason, native mode is used in almost all versions of Windows operating systems. Threats to Domain Structure The domain model and structure depends on the requirements of the organization. Most of the companies install a multiple domain model. In a multiple domain model, each of the individual domains must be upgraded each time the database is modified. While configuring the Windows, every single domain must be altered to have a complete control over the entire domain structure. Any change in the modes of the operating systems will result in the modification of the domain structure. Each time the mode is changed, the domain must be upgraded. This might result in the loss of data during data transfer. Application compatibility is considered as the most common threat in domain structure. The applications in native mode do not work well in mixed mode and his poses a great threat to the existing domain structure. Interoperability among the systems also poses a threat to domain structure. In a network, certain systems might work on a platform other than Microsoft Windows. In this case, the interoperability between the systems becomes a tough task and this in turn affects the domain structure. The existing domain structure must be changed to suit the interoperability constraints. Windows 2008 Windows 2000 is the first operating system to have a native mode. Windows NT supports and interfaces only with mixed mode. A system that has been operating on NT cannot change its mode to a native mode, as the Active Directory cannot interface with an NT domain. The operation of domain controllers are considered to be important since the mode determines how an operating system works. Windows 2000/2003/2008 works on native mode and this provides more flexible operations. Native mode domains provide remote access facility and the restrictions on accessing the data across remote networks is made possible. The permissions to access the remote data are achieved easily, since the administrator can provide access to a specified group of users. The users are generally grouped based on their usage and these nested groups are categorized into smaller groups to make the process of data access an easier one. The major advantage of native mode in Windows 2008 is the ability to connect to a remote network with the help of route specification. (Ruest 2008) The office network can also be connected to a remote network with the help of native mode domains. This is achieved through the implementation of static routes. Domain communication The domains specify the availability of data by analyzing the network connection and then the static routes are assigned. The data transfer is carried out using these static routes. Another advantage of using native mode is that it provides unique names for each and every user. This name is known as the User Principle Name and this is provided to even the end users. The domain in which the user registers is not taken into consideration, instead they are provided with names irrespective of the domains in which they operate. (Burnett 2002) When compared to Windows 2000 and 2003, 2008 has advanced properties and techniques which permit the user to operate in the native mode. The unique properties include User account properties which provide permission to access the remote systems and networks. It includes a feature to provide and deny access to a particular group of users. The access of a particular user can also be controlled by using the access policy which specifies the rules based on which an access is provided to a user. The Native mode uses static IP address where as the mixed mode relies on dynamic IP address. When the operating system is based on mixed mode domains, the users can access the network from any new system. In Native mode, the users are permitted to access only from a particular system which has been already registered with the administrator. Native mode also defines a static route using which data is transferred from one system to another or from a network to another. The concepts of universal groups are also permitted in a native mode operating system as the domains are grouped based on their access rate. Windows 2008 native mode allows the user to select multiple objects in a single instance. The users have an option to select the required options and modify them according to their requirement. (Morimoto 2008) The concept of Application directory partition is implemented in native mode of Windows 2008. This is used to control the DNS information stored in the system’s directory. In a normal system, the limit to store DNS information is not defined, where as native mode domains includes a limit on the Active directory interface so that the data stored is minimum. Developing a Secure Windows Domain Structure Developing a secured Windows domain structure involves a detailed analysis of both the physical environment and the policies and practices followed in the environment. The best practices involved in safeguarding include Performing an in-depth analysis on the Active Directory Implementation settings Identifying the scope of its deployment, the possibility of threats that might tamper the directory settings and invoking appropriate counter measures are some of the important functions in safeguarding the structure and its working. Security issues are divided according to sections – physical, administrative and end systems. A high bandwidth connectivity with a secured access to domain controllers help in building a secure structure. In addition to this, there should be facilities where domain controllers can be configured and tested for checking hardware and OS efficiencies. The security systems are placed under full time dedicated IT staffs, with roles being appropriately prioritized and assigned. Proper facilities for auditing the working of the controllers are also established. Well-developed firewalls are kept in place to control the traffic of the network. Proper access control lists are to be used to control the flow of data between the intranet and extranet. Identifying the kind of threats allows for prevention of them by placing proper counter measures. Some of the common threats that could be acted upon include spoofing, tampering of data, denial of service and Information disclosure and the recent trend- Social Engineering. (Shapiro 2008) Identifying the boundaries of the Windows Domain Structure In Windows 2000 and later versions, the forest remains to be the boundary of the structure, they are not the final frontier. Setting complex password rules enhances the boundary of protection vehemently. The forest combined with complex password rules are the ultimate boundaries. Another aspect is delegation of the administration rights according to the needs of the organization. This ensures that security information are scattered and are not confined to one single resource. It improves both the aspects of a secure structure – isolation and autonomous nature. Delegation should be done in such a way that services that are at domain level are controlled by the owners who control the forest and access to the member computers are controlled by the owners of the respective domains. (Sosinsky 2008) Actual deployment of the controllers Environment like the datacenters are best suited for building a secure structure. If not feasible, then rules must be enforced such that only trusted employees get access to the environment. An image based process of deploying the structure is best suited for dealing security issues. Updates and installation procedures should be done according to the official guidelines. Use of SMTP’s is better to be avoided unless otherwise the Active directory setting uses it. Name generation programs of the NTFS are best to be closed during the deployment. The backup media should be placed in a secure place along with the network infrastructure kept secured using proper key locks. Conclusion The details of deploying a secure Windows domain structure, the threats that might affect the working of the domain, its relationships with the domain controllers are well explained with appropriate examples. The best practices that could be followed while securing a Windows domain structure have also been explained. References Schmidt, P., 2008. Windows Server 2008 Domain Services: Active Directory Domain Services. Windows Networking, [Online]. Available at: http://www.Windowsnetworking.com/articles_tutorials/Windows-Server-2008-Domain-Services-Part1.html Accessed 26 January 2011]. Posev, B., 2007. Windows Domain. Windows Networking, [Online]. Available at: http://www.Windowsnetworking.com/articles_tutorials/Networking-Basics-Part6.html [Accessed 26 January 2011]. Comer, D., 2006. Internetworking with TCP/IP: Principles, Protocols and Architecture, 3rd ed. New Jersey: Pearson Education. McNab, C., 2007. Network Security Assessment. 2nd ed. U.S.A: O’Reilly Media Inc. McClure., 2009. Hacking Exposed. 6th ed. New York: Tata McGraw-Hill. Tiensivu, A., 2008. Securing Windows Server 2008. U.S.A: Syngress Publishing Inc. Morimoto, R., 2008. Windows Server 2008 Unleashed. U.S.A: Sams Publishing. Burnett, M., 2002. Maximum Windows 2000 Security. U.S.A: Sams Publishing. Shapiro, J., 2008. Windows Server 2008 Bible. U.K: Wiley Publishing. Sosinsky, B., 2008. Microsoft Windows Server 2008: Implementation and Administration. Canada: Wiley Publishing. Ruest, D., 2008. Microsoft Windows Server 2008: The Complete Reference. U.S.A: McGraw-Hill. Read More