Practical Windows Security - Assignment Example

Practical Windows Security WINDOWS DOMAIN STRUCTURE Table of Contents Introduction Windows Domain Structure is a view or ized admittance to a lot of networks or computer components by simply utilizing a particular password and user name. Domain Controllers are employed for security verification call like that logging in, permission scrutiny, etc. For example Windows NT uses the idea of a domain to manage admittance to a group of network resources like that diverse kinds of computer and network tools, applications, services and printers. The user simply logs into the computer domain to obtain admittance to different resources that can be placed on diverse network and communication servers residing within a network. On some windows server machine a domain structure is a server that takes action in response to safety for the reason that domain controller is the fundamental to the security and extremely protected a network comprising all the devices. BDC and PDC are jobs that are competent to be expressed to a server machine in an arrangement that craft utilization of the operating system of Windows NT (FreeWiMAXinfo, 2010). In this report I will present a deep and comprehensive analysis of some of the prime aspects regarding the Windows Domain structure. In this scenario I will analyze some of the main areas and aspects about Windows 2000/2003/2008 Domain and some of the main security hazards/threats to the Windows domain structure. In this connection I will try to enumerate/discover a Windows domain structure and then present the major ways and methods which are used by the Windows domains and domain structures for the purpose of communication with each other. Domain Structures (Roles/Functions) In windows Active Directory server functions, computers that act upon like servers within a domain are capable to have one of the two responsibilities: domain controller or else member server. Domain controller (DC) is a server on a Windows NT or Microsoft Windows network that is in charge for permitting workstation admittance to Windows domain possessions. A Windows NT or Microsoft Windows domain controllers in our network are the central point of our Active Directory service. It keeps records of authenticated clients, user account information as well as implements security policy proposed for a Windows domain. A domain controller carries out a lot of tasks such as; the domain controller is the guardian of the computer or network connected system and to the security of all the systems in the domain relies on protection of the Domain Controller shining. The network and system security is dependent on physically protected as well as carefully supporting the domain controller. Protection is the vital for the Domain Controller from the recommendation through Microsoft proposed suggestions for a domain controller. The working and operations of the domain controller are inappropriate for a number of other tasks like that ftp server, mail client, mail server, web server etc that can augment the threat of compromise to an inappropriate point. Network and system protection is severely restricting the admittance to the Domain Controller as of the Internet plus the extra constituent of a network system (FreeWiMAXinfo, 2010). Structure of Windows Domain Controller PDC (Primary domain controller) and BDC (backup domain controller) are the tasks and functions that are competent to be allocated to a server within a network of workstations that utilizes the Windows OS. Windows Operating Systems like Windows NT employs the scheme of a domain to handle admittance to a group of diverse network devices (like that printers, applications plus so onwards) designed for a group of system clients. The clients require simply log-in to the domain to attain admittance to the resources that can be situated on a number of diverse servers within the network. A network or operational server, recognized as the main domain controller, handles the master user database designed for a specific domain. One or additional servers are selected like backup domain managers. The main domain controller occasionally transmits copies of the database to support backup domain controllers. A backup domain controller is proficient to step in like primary domain controller if the Primary domain controller server becomes vain as well as is competent to facilitate in stabilizing the network traffic if the network is filled with activities (TechTarget, 2000). For example in Windows NT, a domain joins a number of the benefits of a workgroup (a set of clients who distribute admittance to one another resources on dissimilar Systems) and a directory (a set of clients who are handled centrally through an administrator). The domain idea not simply permits a user to have admittance to the resources that can be located on diverse servers, however it as well permits one domain to be given right of entry to a different domain in a reliance association. In this structure, the client require simply log in to the initial domain to as well encompass right of entry to the second domains resources also. For example in Windows NT network, not the entire servers require to be a BDC or PDC. A server is able to be chosen like an affiliated server whose resources turn out to be part of a domain without including a function in the logon procedure. In establishing and upholding BDCs, PDCs and domain information is a key action for the administrator of a Windows NT supported network. In Windows 2000, the domain controller idea is maintained however the PDC in addition to BDC server functions are normally reinstated through the Active Directory services (TechTarget, 2000). Windows Domain Structures and Security Aspects In Windows networking one of the majority significant ideas is a domain. A Windows domain is fundamentally a set of client accounts and computer accounts that are assembled jointly therefore that they are competent to be basically considered with the main Windows security aspects. It is the work of the domain controller to help this fundamental administration of domain diverse resources. In case of analysis of why this is significant, think that some workstations that are working with Windows XP operating system hold a set of built in client accounts. Windows XP also offers us to make extra user accounts on the communication as well as working workstation. Except the Windows workstation is working like a separate system otherwise is a portion of a peer network, these workstation specific client accounts (known as the local user accounts) are not employed intended for controlling entrance to network operational as well as working resources. In its place, local user accounts are employed to control entry to the local PC. They do mainly like a means to make sure that administrator is capable to carry out the tasks of workstation management as well as continuance, devoid of the end users encompassing the capability to interfere by means of workstation configurations (Posey, 2008) & (Samba, 2010). The cause why local client accounts are not employed to control admittance to diverse resources lying externally from the terminal that they located on is for the reason that carrying out such a task would generate a tremendous administration load. Additionally, the local user accounts are located on every single workplace system. This outlines that if local client accounts were a network’s main safety arrangement, then an administrator would need to physically go to the computer system holding an account to sometime an alteration is required to be established to the permissions of account. This may perhaps not be a large arrangement on small-level networks; however creating security transforms would be tremendously discomfited on bigger networks or else in circumstances in which a transform is required to be used worldwide to the entire accounts (Posey, 2008; Samba, 2010). One more cause why local user accounts are not employed to manage admittance to network resources is that they do not move with the user from one PC to the other. For example, if a user’s system stopped/crashed, the client could not immediately log on to another system and effort as their computer problem was being rectified, for the reason that the client’s account is precise to the PC that stopped working. Consecutively for the client to be capable to perform some work, a fresh account would have to be made on the system that the client is using to perform its tasks (Posey, 2008) & (Samba, 2010). These are instantly a small number of causes why employing local user accounts to protect access to network resources is not realistic. Yet if we preferred to apply this kind of security, Windows does not permit this. Local client accounts can simply be employed to protect resources of the local computer (Posey, 2008; Samba, 2010). In this regard a domain offers a solution of these additional problems through centralized management of client accounts (as well as extra configuration and safety associated objects). This sanctions intended for simpler management, and permits clients to log onto the network as of some personal computer on the network (unless we restrict that system from where a user is able to login) (Posey, 2008) & (Samba, 2010). Evolution of Windows Domain Structures In 1990s network systems like servers Novell NetWare were running on servers. Windows networking had not been introduced so far, and in this circumstances Novell NetWare was the only best server OS option at that period. In that era for the possible technology enhancement Novell introduced new version 4.0 of NetWare. NetWare’s new version was 4 that launched a technology known as Directory Service. The main idea behind Directory Service was established at that time was that users should not have an isolate account intended for every server. In its place, an individual client account could be employed to validate clients in spite of how a lot of servers were on the network. An exciting point regarding this small history paradigm is that while domains are distinctive to Microsoft networks (Novell networks do not utilize domains). As a result the present windows domains are based as well as working on the similar fundamental rule. Actually, once Windows 2000 was introduced, at that time Microsoft Windows incorporated an aspect that is so far utilized nowadays and is known as Active Directory. The Microsoft Windows idea of the Active Directory is extremely identical to the directory service that was introduced and brought by the Novell networks and network operating systems (Posey, 2008) & (Samba, 2010). Structure and Relationships of Windows Domain Structure (Communication) After the invention and release of Windows Domain Structure this idea was extensively admired and acknowledged. In this scenario Windows Domain Structure was taken as highly reliable and better security management framework for the network and system management areas. The main responsibility of Windows Domain controller is to execute the Active Directory service on the Windows servers operational on Windows Server 2003, Windows 2000 Server otherwise on the impending Longhorn Server. The Active Directory performs like a warehouse intended for directory items. Along with these items are client accounts. Like that, one of a prime task of a domain controller is to offer validation services. One extremely significant idea to consider this object is that domain controller’s offer verification, not permission. This outlines that when a client logs on to a computer network, a domain controller authenticates the client’s username as well as password plus fundamentally proves that the client is one who they declare to be. The domain controller does not though notify the client what resources they contain privileges to (Posey, 2008) & (Samba, 2010). Working and functional resources on Windows networks are protected through ACLs or access control lists. An access control list is in essence only a list that notifies who has privileges to what. When a client tries to take admittance to network or else system resource, they provide their information as well as identity to the server holding the resource. That server ascertains that the client’s individuality has been genuine plus then postscript the user’s individuality by means of an access control lists to observe what it is that the client has privileges to (Posey, 2008) & (Samba, 2010). Main Advantages of Microsoft Domain Security Single Sign-On or simply SSO is the one main aspect or component of the Microsoft and Windows and beyond networking. Single Sign-On allows clients in an elegant and nicely modeled communication and shared network to log onto some system that is a part of the domain that holds their client account information (otherwise in a domain that has an suitable conviction association by means of the domain they are using) as well as they will be capable to get admittance to the network and access network offered resources (shares of network, printers and diverse data files) since if they are using their personal system. It can be considered as the characteristic of the domain security protocols for the enhanced security and network resource safety management (Samba, 2010; OpenGroup, 2010; Posey, 2008; Waynforth, 2008). The main advantages and effectiveness of domain security are obtainable to those locations that install a Samba PDC. A domain offers a distinctive SID or network security identifier. Clients of a domain and group security identifiers consist of the network SID in addition a RID or known as relative identifier that is distinctive to the account. Users as well as group in addition to the RID are capable to be employed to produce access control lists that are linked to network resources to offer entry control to an organization. Local security identifiers are distinguished by UNIX systems (Samba, 2010). A network security identifier corresponds to a security background. Such as, each Windows system has local accounts inside the security framework of the local system that has a distinctive security identifier. Each domain (ADS, NT4, along with Samba) holds accounts that reside inside the domain security framework that is described through the domain SID. In this scenario we have assessed that network clients of Microsoft Windows domain security structure have to be domain members to be able to get admittance to the advanced characteristics offered. Domain membership entails additional than instantly changing the workgroup name to the network domain name. It necessitates the development of a domain trust account planned for the terminal (known as machine account) (Samba, 2010). Best Practice in securing a Windows domain structure When we install Windows Server on a network or on a system, we are competent to select to organize a specific server function proposed for that particular system. When we preferred to make a new forest, a fresh domain, or an extra domain controller in a current domain, we arrange the server by means of the functionality of domain controller through installing AD DS. By default, a Windows domain controller holds one domain directory element composed of details as well as information regarding the domain in that it is placed, in addition the plan as well as arrangement directory elements intended for the whole forest. A domain controller that executes Windows Server 2008, Windows Server 2008 R2 or else Windows Server 2003 are capable to also support one or more separation regarding application directory. There are as well dedicated domain controller functions that carry out detailed tasks in the framework of an AD DS. These expert functions comprise global catalog servers plus processes masters. The global catalog enables the clients to look for AD DS exclusive of the need to be referred as of server to server in anticipation of a domain controller that encompass the domain directory division holding the required object is located. By default, searching of AD DS is moved to global catalog servers (Microsoft, 2010). Problems with Domain Controller In case of windows domain controller we can generally face a lot of problems and related matters. In this scenario some of main problems are outlined in this section. In this regard the main problem is that the installation expenditure of windows domain controller infrastructure is extremely huge consequently it is not reasonable for a single person or small business or an organization. If we are thinking of a network then previous to starting it high-quality arrangement is definitely required for enhanced outcomes. For a particular client it is extremely hard to recognize the complex arrangement of domain controller (FreeWiMAXinfo, 2010). Conclusion In this repot I have presented a deep and comprehensive analysis of the windows domain controller. In this scenario I have highlighted and outlined some of the prime aspects and areas of windows domain controller and its applications for the better security handling as well as operations management. This report has highlighted some of the vital points like that framework, security features, working arrangement and operations. I hope this report will offer a better insight into the overall structure of windows domain structures. Bibliography freewimaxinfo, 2010. [Online] Available at: http://www.freewimaxinfo.com/domain-controller.html [Accessed 14 December 2010]. FreeWiMAXinfo, 2010. What are Domain Controllers. [Online] Available at: http://www.freewimaxinfo.com/domain-controller.html [Accessed 16 December 2010]. Microsoft, 2010. Domain Controller Roles. [Online] Available at: http://technet.microsoft.com/en-us/library/cc786438(WS.10).aspx [Accessed 15 December 2010]. OpenGroup, 2010. Single Sign-On. [Online] Available at: http://www.opengroup.org/security/sso/ [Accessed 20 December 2010]. Posey, B.M., 2008. Networking Basics: Part 5 - Domain Controllers. [Online] Available at: http://www.windowsnetworking.com/articles_tutorials/Networking-Basics-Part5.html [Accessed 14 December 2010]. Samba, J.H., 2010. Chapter 4. Domain Control. [Online] Available at: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html [Accessed 13 December 2010]. TechTarget, 2000. domain controller. [Online] Available at: http://searchwindowsserver.techtarget.com/definition/domain-controller [Accessed 14 December 2010]. Waynforth, C., 2008. Single Sign On. [Online] Available at: http://searchsecurity.techtarget.com/sDefinition/0,sid14_gci340859,00.html [Accessed 20 December 2010]. Read More