|
Previous | Table of Contents | Next |
Referring again to figure 12.2, the security model consists of the following components:
These components are referred to later in discussions about logon processes, authentication, user rights, and user permissions.
Like most secure network operating systems, Windows NT is based on user accounts, user access rights, permissions, and secure logons. All of which are controlled by the security system described previously. The primary features are outlined below:
Before discussing user accounts, rights, and permissions, youll need to familiarize yourself with Windows NT domains, domain controllers, trust relationships, and other management features as discussed next.
Domains are the central unit of management for a Windows NT network. A domain is a collection of computers and user accounts that is managed by a central authority. Depending on how administrators set it up, a domain can include all the computers and users for an entire organization or it can be used to provide a division of management, users, and resources within an organization. For example, a company can create a domain for its Eastern division and a domain for its Western division. A more likely example is a company that creates domains for its sales division, its marketing division, its research division, and any other necessary division.
Normally, each domain has its own administrator account. While each domain may have its own administrator, a single person can be the top-level administrator for all domains. Each domain also has its own set of user accounts. Users in one domain, however, can be allowed to access resources in another domain if a trust relationship is established between those domains. A trust relationship provides a way to make resources in one domain available to users in another domain as discussed in a moment. A single domain is appropriate for many organizations, but large national and international companies will probably benefit from using multiple domains.
Domains are administrative and security entities. When a user logs into an account, they log into a domain and have access to resources in that domain for which their accounts have been given permission. Users can browse for resources within the domain and access those resources without having to log in again.
Users may also have accounts in other domains on the network and can log into another account from the same workstation by specifying the name of the domain to log into. Alternatively, a user can have a single account with access to multiple domains if the domain administrators prefer to set it up that way. Often a group of users in one domain is allowed to access specific resources in another domain.
Each domain has its own security policies and lets you control the status of default accounts such as the guest account. Here are some of the policy settings you can set in domains:
A domain can be as small as a single server. For example, a server connected to the Internet should be in a separate domain in which the Guest account is disabled for security reasons. You can then use the Guest account in other domains.
Previous | Table of Contents | Next |