Although Windows 2000 is not necessarily more secure than previous versions of Windows NT, it does include new security features which can be quite effective if designed and implemented in a thoughtful and thorough way. The following sections discuss the fundamental aspects of Windows 2000 security.
Networks are traditionally divided into two basic types of computers: workstations and servers. One or more servers can handle a variety of tasks for the network: file and printer sharing, administration and security, and other services. Current network operating systems, including Windows 2000, allow the division of these responsibilities between several servers. The following sections discuss the different types of servers and clients that form the baseline of Windows 2000 security.
Windows NT uses domains (groups of servers that share a single security database) as the basic unit of security. Windows 2000 expands this system with Active Directory. In older Windows NT networks, servers could be assigned one of three roles:
The authoritative controller for a domain. Only one PDC can be used per domain, and this is the only server that allows changes to the security database.
One or more backup domain controllers (BDCs) provide redundancy and can be used for authentication. They cannot make changes to the security database.
A server that does not act as a domain ...