Designing Basic Security

Although Windows 2000 is not necessarily more secure than previous versions of Windows NT, it does include new security features which can be quite effective if designed and implemented in a thoughtful and thorough way. The following sections discuss the fundamental aspects of Windows 2000 security.

Creating a Security Baseline

Networks are traditionally divided into two basic types of computers: workstations and servers. One or more servers can handle a variety of tasks for the network: file and printer sharing, administration and security, and other services. Current network operating systems, including Windows 2000, allow the division of these responsibilities between several servers. The following sections discuss the different types of servers and clients that form the baseline of Windows 2000 security.

Domain controllers

Windows NT uses domains (groups of servers that share a single security database) as the basic unit of security. Windows 2000 expands this system with Active Directory. In older Windows NT networks, servers could be assigned one of three roles:

Primary domain controller

The authoritative controller for a domain. Only one PDC can be used per domain, and this is the only server that allows changes to the security database.

Backup domain controller

One or more backup domain controllers (BDCs) provide redundancy and can be used for authentication. They cannot make changes to the security database.

Member server

A server that does not act as a domain ...

Get MCSE: Windows 2000 Exams in a Nutshell now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.