Re: Setting up a domain
From: Robert Moir (bofh@mvps.org)
Date: 01/10/03
- Next message: Michel Gallant (MVP): "Re: Outlook Express Removes "Dangerous Attachments""
- Previous message: Joao Soares Veiga: "Q323255"
- In reply to: Steve: "Re: Setting up a domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Robert Moir" <bofh@mvps.org> Date: Fri, 10 Jan 2003 19:05:09 -0000
Sorry for the delay in replying...
Steve wrote:
> Sorry for the short description the first time. We have
> about 10 computers that are connected to a router and a
> computer that stands alone and acts as our server. The
> office is split into to two workgroups. I want to know if
> setting up a domain can allow for increase security
> settings among machines?
Yes a domain can help with improving security but by itself it doesn't mean
much. A domain allows for centralised management of user accounts, security
and access to files, backup management, etc, which are all very important
for security. It can make it very easy to control who can do what, and keep
track of what is going on. However...
The most important part of making a business secure is the culture of the
place. A domain based network (or any other network structure that promotes
better security) only works if its part of a change to people's habits. E.g.
it doesn't help to give everyone a secure domain account to log in with, to
keep their private files private, if they share their passwords, or walk
away and leave their machine unattended for hours logged in as themselves,
while a fellow worker borrows the machine.
This is a big change in the working environment, and as such it isn't to be
undertaken lightly, especially in smaller companies (apologies if I'm wrong
but I'm guessing that's so from the '10 computers') as it can cause
resentment in people who are being forced to change the way they work
without appreciating why.
If you decide to go ahead with changing the way the users work to fit a more
secure model then you should make an effort to get them to appreciate why
the change is needed, and you should try to give them some benefits to the
change they can actually see on their desktop (e.g. can you use this as an
opportunity to improve access to a facility that everyone likes to use but
which is sometimes difficult to get access to at the moment?)
If you want to read more about why human factors get in the way of security
you might enjoy the article at
http://www.microsoft.com/windows2000/community/centers/security/articles/moi
r/020724.asp but I'm sure you see what I'm getting at already.
> If so, how do I do this?
As you mention XP, I should warn you that only the "Pro" version of XP can
join a domain before we go any further.
Setting up a domain involves a copy of either Windows server 2003, when
that's released, or a copy of Windows 2000 server which is available
already. You may want to look into the 'small business server' variant of
the server platform which comes with a lot of extras that may be useful and
interesting, but what I know about small business server can be written on
the inside of a matchbox with a large crayon, so I won't say any more about
that.
Whatever version of Windows server you end up with, assuming you still want
to go ahead, creating a domain is fairly easy for a small network, but I
would personally recommend taking some time to read through the helpfiles
about domains, and also to review the section on active directory (for this
is what domains are properly called from windows 2000 onwards) at
http://www.microsoft.com/windows2000/en/server/help/
You don't need to read that section from end to end by any means but if you
are unsure a quick skim of the concepts and how-tos is always useful, and if
you have it bookmarked now that's better than needing it halfway through a
migration and not having it handy.
> I also need to know how to limit the usage of each user on
> each machine to the programs and folders that are only
> neccessary to perform their task. I have already setup a
> user account with the "limited" setting and an admin
> account with administration rights.
With "just" XP Professional machines and no central server, you can use the
NTFS disk format on each XP machine, and then apply NTFS permissions that
allow or deny people access to various folders, including folders containing
data they shouldn't see, and programs they should not run.
To do this, first of all you need to turn off "simple file sharing" - from a
file explorer or my computer window you can do this by going to tools,
folder options, select the view tab, and in the list of options remove the
tick from "use simple file sharing", which should be one of the last
options, if not the very last.
You can now hopefully set NTFS permissions by right clicking a file or
folder and going to the security tab. Going on about what permissions do
what jobs would turn this post into a book so I'm just going to point you at
the XP help files for more detail there.
You'll also notice in XP pro an option to encrypt files and folders too.
This might be worthwhile for you, especially if you use laptops and
sometimes take them "on the road". One word of warning; if you use this it
is *essential* that you read and understand the XP help section on
encryption, especially the section on backing up your encryption certificate
keys for file recovery in the event of a problem. If you don't understand
the implications of what the help says here, please don't use NTFS
encryption at all until you've figured it out.
If you go with a domain, the options for securing things remain much the
same, except that they can be centrally managed from the domain controller,
which makes things considerably easier; you only have to set things up and
change them in one place, and you know that what you do in that one place
will be consistently applied to all the machines in your domain.
I hope that helps.
Regards
Robert Moir.
Microsoft MVP
- Next message: Michel Gallant (MVP): "Re: Outlook Express Removes "Dangerous Attachments""
- Previous message: Joao Soares Veiga: "Q323255"
- In reply to: Steve: "Re: Setting up a domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
