What is a workgroup and how is it set up?

Authenticating users in a computer network.

Employees in any organization, big or small, need to log in to their computers at the start of their work day. Logging in gives them access to shared files, folders, printers, critical applications related to work, as well as the internet. Organizations need to authenticate and verify the identity of each user before they gain access to these resources—but how?
The method you use to authenticate and verify users depends on the type of computer network setup in your work environment.
There are two major types of network setups:

  • Workgroup environment: This environment is usually found in small offices and home offices.
  • Active Directory environment: Larger offices (usually with more than 15 unique users) use Active Directory.

Here we will look at what a workgroup is, how to set one up, and how authentication is managed in a workgroup.

What is a workgroup?

According to Techopedia, a workgroup is a peer-to-peer network setup using Microsoft Windows operating system. It’s a group of computers on a local area network that share common resources and responsibilities. You can easily create a workgroup by connecting two or more PCs without going through a separate server computer. Figure 1 shows how a workgroup is set up.

Figure 1: A simple workgroup.

As we can see in the image above, each computer on the network is physically connected to a router or switch. Each computer that’s a member of a workgroup can access shared resources in the network, like files or printers, or share their own resources with the group.
While a workgroup is a group of computers that are connected to a network, it’s not the same as a network. You can connect a computer to your network without making it a member of a specific workgroup. You can even have multiple workgroups in the same network.

How does a workgroup in a small office or home office work?

Let’s take an example of a small three-person office. John, Amy, and Mark are this small office’s three employees. Every computer on this network will have its own database of usernames and passwords.
Essentially, a workgroup is “every man for themselves,” and there is no central control. Every PC in a workgroup is a server and a client at the same time. A PC will act as a client when it seeks to access a resource in another PC. The PC which needs to provide the access to its resources will act as a server during the process of authentication and authorization.
For instance, if Amy wants to use Mark’s computer, her username and password need to be created on Mark’s computer. And if Mark wants to use Amy’s computer, his username and password need to be created on her computer. If both Amy and Mark want to use John’s computer, both of their usernames and passwords need to be created on John’s computer.
How do I set up a workgroup in a small office?

Once you’ve set up your network in your small office, you can follow the steps below to connect all your devices to a single workgroup:

  1. Navigate to the Control Panel > All Control Panel Items > System. You will get to the View basic information about your computer screen, which looks like:

Figure 2: Basic information about the computer.

  • In Figure 2, you can see that this computer is already a part of the workgroup MY WORKGROUP.
  • Click on Change Settings under Computer name, domain, and workgroup settings to arrive at the System properties pop-up.
  • Click on Change to rename this computer.
  • Under the Computer Name/Domain Changes pop-up, you’ll have the option to join the workgroup of your choice. Ensure that all the devices you want in a particular workgroup are joined to that workgroup. In this case, the workgroup is named My Workgroup. Figure 3 shows where you can enter the name of the workgroup you want to join.

    Figure 3: Joining the right workgroup.

How do I share files and folders in a workgroup?

Now that you’ve set up a workgroup for your small office, let’s talk about how to share files and folders among different users. Let’s assume that you want to share the My Games folder under Documents (see Figure 4).

Figure 4: Sharing the My Games folder among the workgroup.

Follow the steps below to share this folder:

  1. Right-click My Games.
  2. Click Properties.
  3. Click the Sharing tab.
  4. Click on Share…
  5. Choose the people you want to share the folder with, and select the permission level. Figure 5 shows the screen where you can grant access to other users in the workgroup.
  6. While granting access to other users, you’ll need to create their usernames and passwords on your own computer. This is the only way these users can be authenticated.

    Figure 5: Sharing a folder with others in the workgroup.

Workgroup challenges for large organizations and the need for Active Directory.

Workgroups are not suitable for larger work environments for two main reasons:

  1. They don’t scale well: If the network is small, it’s fairly easy to control a workgroup. However, imagine a scenario in which there are more than 15 computers. It would be time-consuming and tedious to create usernames and passwords by visiting each computer. Now imagine a corporation with more than 5,000 computers. It would be next to impossible to manage user accounts through a workgroup.
  2. Passwords do not sync automatically: If a user has changed their password on their own computer, the change won’t be reflected in the other computers they may try to access on the network. When prompted to enter their username and password when trying to access other computers, they’ll then need to input the old username and password to gain access.

Workgroups are great for smaller networks, but they aren’t efficient for larger ones. For large networks, it’s vital to keep all the usernames and passwords in sync with each other. To do this, you need a centralized database that manages all usernames and passwords, called Active Directory.
Note: A client PC cannot belong to a workgroup and a domain at the same time. If a client joins a domain, its workgroup membership will be automatically removed. The reverse is also true.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Fundamentals of Active Directory, workgroups and domains

The five services within Active Directory.

Active Directory (AD) is a set of five services that run on a Windows server to manage permissions and access to network resources. These five services are:

  1. AD Domain Services (AD DS)
  2. AD Lightweight Directory Services (AD LDS)
  3. AD Federation Services (AD FS)
  4. AD Certificate Services (AD CS)
  5. AD Rights Management Services (AD RMS)

AD DS is most commonly refered to as AD.

AD DS is the most deployed component of AD. In a way, AD DS has become synonymous with AD, and when people speak about AD, they’re usually referring to AD DS. If they want to refer to any of the other four services, they explicitly mention that service by name.
AD DS is essentially a store of information just like a telephone directory. The table below shows the fields of information in a telephone directory.

Last name First name Address Telephone number
Burns Joe 1 Dorset Place 804 0650
Adams Marilyn 20 Dundurn Street 391 7683
Rajan Ranjit 60 Mistdale Cres 691 8967

Think of each row in a telephone directory as a distinct object with attributes like last name, first name, address, and phone number. In an AD environment, these distinct objects can be users, computers, groups, printers, and more. Each of these objects have characteristics or attributes; both the objects and their attributes are stored in AD. AD is extensible, i.e., we can add objects and object attributes to it as needed.

Is AD a database or a directory?

Some people consider AD as a database. After all, you can write data to, retrieve data from, and store data in it. However, it’s more of a directory than a database since it’s optimized for read operations rather than write operations. While you can add new data to AD, the existing data usually doesn’t undergo many changes. Furthermore, the data in AD is arranged in a logical and hierarchical manner so that finding information is easy. This is just like how the Yellow Pages organizes objects by types of business, and the White Pages organizes objects in alphabetical order.

The AD structure.

When we deploy AD in an organization, we need to consider two sides of its structure:

  1. The logical side: This is the hierarchy of objects such as users, computers, groups, and organizational units. The AD administrator needs to design a logical side that closely mimics how the business functions and helps them effectively manage their IT infrastructure. Correctly arranging these various objects helps you easily manage permissions (access) and security.
  2. The physical side: When designing the physical side, the administrator needs to think about the servers that provide the AD services and contain all the critical directory information. They need to answer questions such as:
    • How will these servers speak to each other and share information?
    • What network links need to be set up so that remote users can be given access?
    • How can users in different locations be directed to the servers?

Workgroups vs. domains.

A workgroup is a peer-to-peer network with no central authentication. Each computer in a workgroup functions as both a client and a server. When a user in a workgroup wants to access another user’s computer or even a shared resource like a file, they need to create their username and password on the other user’s computer. Workgroups are great for small office networks with 15 or less computers, however, they aren’t ideal for larger companies with hundreds or thousands of users. In such environments, we need to set up a client-server network environment. In Windows, this is achieved by setting up domains. The figure below shows the basic difference between a peer-to-peer and client-server network environment.

The domain setup ensures better security as we can give varying degrees of permissions for different users or groups of users. Furthermore, we can deploy company-wide policies for administration. If a user wants to access another computer on the domain, they don’t need to create another account on that computer.
All login and access requests by users are managed by a domain controller (DC) that runs AD. A DC is a centralized server that responds to all such requests, and is effectively a security gatekeeper for the network. Both authentication and authorization are done by the DC.

  • Authentication: The client and server authenticate each other to verify who the user or system is.
  • Authorization: The server determines if the client has the requisite permissions to access a resource.

Authentication is done through usernames and passwords (along with a process of encryption). The DC will check in its AD database to authenticate users requesting access to the domain. If the user’s credentials match the information contained in AD, they are allowed to log on to the network. Authentication is completed using the Kerberos authentication protocol. Authorization is done through Access Control Lists (ACLs). An ACL is a list of permissions attached to an object and it also specifies which users are allowed access to the object, and what operations they can do.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

NTLM and Kerberos authetication protocols

In Active Directoy (AD), two authentication protocols can be used:

  • NT LAN Manager (NTLM): This is a challenge-response authentication protocol that was used before Kerberos became available. However, an organization may still have computers that use NTLM, so it’s still supported in Windows Server.
  • Kerberos: This protocol works on the basis of tickets, and requires the presence of a trusted third party.

The basics of how NTLM works

Here’s a step-by-step description of how NTLM authentication works:

  • The user provides their username, password, and domain name at the interactive logon screen of a client.
  • The client develops a hash of the user’s password and discards the actual password.
  • The client sends the username in plain text to the server it wants to access.
  • The server sends a challenge to the client. This challenge is a 16-byte random number.
  • The client then sends a response to the server. This response is the challenge encrypted by the hash of the user’s password.
  • The server sends the challenge, response, and username to the domain controller (DC).
  • The DC retrieves the hash of the user’s password from its database, and then encrypts the challenge using it.
  • The DC compares the encrypted challenge it has computed (in the above step) to the response of the client. If these two match, the user is authenticated.

NTLMv2 – A big improvement over NTLMv1

NTLMv2 is a more secure version of NTLM (discussed above). It differs from its predecessor in the following ways:

  • It provides a variable length challenge instead of the 16-byte random number challenge used by NTLMv1.
  • In NTLMv2, the client adds additional parameters to the server’s challenge such as the client nonce, server nonce, timestamp and username. It then encrypts this with the hash of the user’s password with the HMAC-MD5 algorithm. In contrast, in NTLMv1, the client only adds the client nonce and the server nonce to the server’s challenge. It then encrypts this with the hash of the user’s password with the relatively weak DES algorithm.

NTLMv2 gives a better defense against replay attacks and brute-force attacks. However, Kerberos is an even more secure authentication protocol because of its use of encrypted tickets.

How Kerberos works

Kerberos was developed at the Massachusetts Institute of Technology in the 1980s, and has now become the most widely-used system for authentication and authorization in computer networks. The name Kerberos comes from ancient Greek mythology in which Kerberos is a three-headed dog who guards the underworld. The three heads of Kerberos are represented in the protocol by a client seeking authentication, a server the client wants to access, and the key distribution center (KDC). The KDC is a trusted third party that authenticates users and is the domain controller that AD is running on. Here is the step-by-step process of how Kerberos works:

  • The user attempts to join the network through the client’s interactive logon screen.
  • The client constructs a package called an authenticator which has information about the client (username, date, and time). Except for the username, all the other information contained in the authenticator is encrypted with the user’s password.
  • The client then sends the encrypted authenticator to the KDC.
  • The KDC immediately knows the identity of the client that has sent the authenticator by looking at the username. The KDC will then look into its AD database for the user’s password, which is a shared secret. It then decrypts the authenticator with the password. If the KDC is able to decrypt the authenticator, it means that the identity of the client is verified.
  • Once the identity of the client is verified, the KDC creates a ticket granting ticket (TGT), which is encrypted by a key that only the KDC knows.
  • The KDC sends the TGT to the client. The client stores the TGT in its Kerberos tray. It can use this ticket whenever it needs to access a resource on a server on the network (within a typical time limit of eight hours).
  • When the client needs to access another server, it sends the TGT to the KDC along with a request to access the resource.
  • The KDC decrypts the TGT with its key. This step verifies that the client has previously authenticated itself to the KDC.
  • The KDC generates a ticket for the client to access the shared resource. This ticket is encrypted by the server’s key. The KDC then sends this ticket to the client.
  • The client saves this ticket in its Kerberos tray, and sends a copy of it to the server.
  • The server uses its own password to decrypt the ticket.

If the server successfully decrypts the ticket, it knows that the ticket is legitimate. The server will then open the ticket and decide whether the client has the necessary permission to access the resource by looking through the access control list (ACL).

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)