Network Security

NetWare has only one mode of security; LAN Manager has two: user-level security and share-level security. NetWare's security scheme is similar to LAN Manager user-level security mode. Windows NT Advanced Server builds on the security features available with LAN Manager user-level security — its security is a superset of LAN Manager's user-level security.

Each LAN Manager server uses only one of these security modes, but servers that have user-level security can be on the same network and in the same domain with servers that have share-level security.

With LAN Manager user-level security and Windows NT Advanced Server security, users have accounts on all the servers they need to access. When a user tries to access a resource on a server, the server first compares the password the user types with the password in the user's account. If the passwords match, the server checks the permissions for the resource (permissions are similar to NetWare trustee rights). If the permissions specify that the user can access the resource, access is granted.

With LAN Manager share-level security, users don't have accounts. Instead, the administrator gives each resource a different password when sharing the resource. When users want to access a resource, they just need to know the password of that resource.

User-level security is the more powerful security mode, and is used most often on LAN Manager networks. Information in this appendix about LAN Manager security is about user-level security.

When using LAN Manager for UNIX Systems, access to resources is also subject to the UNIX system security restrictions. For details about the interaction of LAN Manager for UNIX systems security with operating system security, see the LAN Manager administrative documentation.

Both Windows NT Advanced Server and LAN Manager have a major administrative feature that NetWare does not. With Windows NT Advanced Server and LAN Manager, servers and workstations are grouped into domains. For an explanation of domains and the differences between domains in Windows NT Advanced Server and LAN Manager, see "Domains," later in this appendix. Note that Windows NT networks that do not have a Windows NT Advanced Server do not support domains.

User Accounts

Windows NT, LAN Manager, and NetWare all have user accounts, records of each user that contain information about the user and restrictions on how the user can use the network.

With LAN Manager for UNIX Systems, users also have accounts on the UNIX operating system. For details about the interaction of LAN Manager user accounts with operating system user accounts, see the LAN Manager administrative documentation.

For the most part, user accounts on Windows NT workstations, Windows NT Advanced Servers, LAN Manager servers, and NetWare servers contain the same information. The following types of information are kept in user accounts on all three systems:

Username
The user's full name
Password
Account expiration date
The user's home directory
The user's logon script
Days and times the user can use the server
Workstations the user can use

With NetWare, user accounts can also contain the following:

Groups the user is a member of. In LAN Manager and Windows NT, users can be members of groups, but this information is not stored in the user account.
Maximum amount of server disk space the user can use. Unlike LAN Manager, NetWare enforces this limit, preventing users from using more space than is allowed. In LAN Manager, the administrator can be alerted when a user uses more than the allotted space.
Accounting information, which keeps track of each user's network resources. Both Windows NT Advanced Server and LAN Manager use the auditing function to track how resources are used, rather than information from the user account. See "Auditing Resource Use," later in this appendix.

Privilege level and operator privileges can be simulated by using security equivalence.

With Windows NT, user accounts can also contain the following:

The user's privilege level, which specifies the user as an administrator, server operator, account operator, print operator, backup operator, user, or guest.
The user's profile, containing a record of the user's desktop environment and settings of those aspects of the environment that the user can change.
A unique security identifier (SID), which identifies the account. Internal processes in Windows NT refer to the SID, rather than the account, so replacing a deleted account with an account with the same name creates a completely new account.
The account conditions, which control password aging and account disabling.

Windows NT Advanced Server user accounts can be set up as global accounts or local accounts. Regular user accounts are global accounts. Local accounts, typically used in mixed LAN Manager and Windows NT Advanced Server networks, cannot be used to log on to a Windows NT Advanced Server, and can only be used in one domain.

Windows NT also divides users into local and global groups to provide an easy way for administrators to grant multiple users access to resources. With LAN Manager, user accounts can also contain the following:

The user's privilege level, which specifies the user as an administrator, regular user or guest.
Whether the user has any operator privileges.

Windows NT, NetWare, and LAN Manager handle restrictions on users' passwords differently. With NetWare, the minimum password length, password aging, and unique password settings are part of individual user accounts and can be set differently for each user. With Windows NT, some aspects of password control are set in the account condition for each user account, and some are set for entire domains. With LAN Manager, these settings (called security settings) are set once, and these values apply to all users of the server.

With Windows NT, you can group users who have similar jobs or resource needs into both global groups and local groups; groups make granting rights and resource permissions easier, as you just need to take one action of giving a right or permission to a group to give that right or permission to all the present and future users of the group.

Logging On

The concept of logging on is different with NetWare, Windows NT, Windows NT Advanced Server, and LAN Manager.

With NetWare, a user logs on to a single server at a time. When the user logs on, that server checks its user accounts, and allows the user to log on only if the server has an account with that user's name and password.

With Windows NT and LAN Manager, users don't log on individually to each server. Logging on works in one of two ways, depending on how the network is set up:

For Windows NT Advanced Server, and for LAN Manager networks running the Netlogon service on the network, a user logs on to a domain, a number of servers that the administrator has grouped together. Grouping servers together into domains provides several benefits, discussed in the following section, "Domains."
When a user logs on to a domain, one of the servers in the domain checks the user's name and password. If the user's name and password match a user account on the server, the logon is successful. If the user's name and password don't match an account, the logon is denied. This is similar to NetWare's logon scheme, except that the logon is to an entire domain, and once the logon is approved, the user can access all servers in the domain.
In LAN Manager, if the Netlogon service is not being used, the user logs on to the entire network. The user's name and password are not checked at logon time, so no logon attempts ever fail. Even though the name and password aren't checked at logon, the network is still secure because the name and password are checked whenever the user tries to access a shared resource.
With this scheme, a user receives the following message when logging on:
You were logged on STANDALONE as username; no server has con firmed your account.
This means that the user's name and password were not checked at logon.




	NOTE: If a user logs on to a network using the Netlogon service, and if the user types the correct name and password, the "You were logged on STANDALONE" message may still appear. In this case, this message means that none of the servers in the domain that are capable of checking logons are operating.

If you want LAN Manager logons to work like NetWare logons (with names and passwords checked at logon time), use the Netlogon service.

Another difference between networks is how the servers on other parts of the network are accessed. With NetWare, users must log on to each server they want to use. With LAN Manager, once a user is logged in to one domain, the user can access all servers in the network, even those in other domains. With Windows NT Advanced Server, once a user is logged in to one domain, they only have access to domains following their trust relationships. (See the following section on domains for a discussion of trust relationships.)

Domains

In networks with Windows NT Advanced Servers or LAN Manager servers, servers and workstations are grouped into domains. All servers within a domain can be set up to use copies of the same user accounts database, which contains the user accounts and groups (the user accounts database is similar to the NetWare bindery). All changes made to the domain-wide user accounts database affect all servers that use copies of that database.

Centralizing the administration of the user accounts database greatly lessens the time necessary for administration. When a change needs to be made to user or group information—such as adding or deleting a user or a group, or modifying a user's account—you do it only once for the entire domain, instead of once at each server. The server at which you alter the information updates the other servers in the domain.

With Windows NT Advanced Server, simplified administration using domains is always available. With LAN Manager, simplified administration using domains is possible only if the Netlogon service is running on the domain's servers. The Netlogon service enables the servers to use multiple copies of the same user accounts database, and to keep these copies synchronized.

In LAN Manager, a domain can include a primary domain controller, which stores the master copy of the domain's user accounts database, and one or more backup domain controllers, member servers, and workstations. Windows NT Advanced Server simplifies the types of computers in a domain. One server is called the domain controller, where the master copy of the user account database is stored. The domain controller has a similar functionality to a LAN Manager primary domain controller, and a server is similar to a backup domain controller in LAN Manager. In a Windows NT Advanced Server domain, any Advanced Server can process logon requests (there is no equivalent to LAN Manager member servers).

The concept of a server differs in each network. Under Windows NT, the distinction between servers and workstations is not based on whether computers can share resources; under Windows NT, all computers can share resources. A workstation is a computer that an individual user uses to run applications to do work. A server is a computer that processes requests made by other computers — for example, to access centrally shared information.

Windows NT Advanced Server Domains	LAN Manager Domains
Contain a domain controller and servers. (All servers act as backup domain controllers.)	Contain a primary domain controller, backup controller, member servers, and standalone servers.
Must use an account and password to log on to a local Windows NT Advanced Server computer.	Local security is optional and only supported on LAN Manager servers.
Support trust relationships between domains.	No recognition of trust relationships.

Windows NT Advanced Server trust relationships between the domains on your network enable user accounts and global groups to be used in domains other than the domain where these accounts are located. This makes administration easier, because you need to create each user account only once on your entire network, and it can be given access to any computer on your network — not just the computers in one domain. For more information on trust relationships, see the Windows NT Advanced Server manuals.

Controlling Access to Network Directories

The basic concept of how to control users' access to network directories is similar in NetWare and LAN Manager, but many of the details differ. Some of the details are different even between NetWare 286 and NetWare 386.

The following table shows how file access is determined. The rules listed apply only to regular users—not to NetWare supervisors and Windows NT and LAN Manager operators and administrators.

NetWare 286	NetWare 386	Windows NT	LAN Manager
1. Do the user's trustee rights for the directory that contains the file permit the action? If yes, continue to step 2. If no, don't allow access.	1. Do the user's trustee rights for the file permit the action? If yes, skip to step 3. If no, continue to step 2.	1. Do the user's permissions for the file permit the action? If yes, continue to step 2. If no, don't allow access.	1. Do user's group or user permissions permit the action? If yes, continue to step 2. If no, don't allow access.
2. Does the directory's maximum rights mask permit the action? If yes, continue to step 3. If no, don't allow access.	2. Do both the user's effective rights for the parent directory and the inherited rights mask of the current file or directory permit the action? If yes, continue to step 3. If no, don't allow access.	2. If accessing from the network, do the share permissions allow access? If yes, allow access. If no, don't allow access.	2. Do the file flags permit the action? If yes, permit the action. If no, don't allow access.
3. Do the file's attributes permit the action? If yes, permit the action. If no, don't allow access.	3. Do the file's attributes permit the action? If yes, permit the action. If no, don't allow access.	3. If accessing locally, do the file and directory permissions permit the action? If yes, allow access. If no, don't allow access.

NetWare 286

With NetWare 286, the supervisor can assign a user trustee rights for a directory. Trustee rights control what actions the user can take with the files in the directory, such as reading the files, writing to them, and deleting them.

The following table shows the trustee rights in NetWare 286:

Trustee Right	Description
S (Search)	Lets the user list the files in the directory with the MS-DOS dir command and NetWare commands.
R (Read)	Lets the user read the contents of files.
W (Write)	Lets the user write to files, changing their contents.
O (Open)	Lets the user open existing files in order to read them or write to them.
C (Create)	Lets the user create new files or subdirectories in the directory.
D (Delete)	Lets the user delete files and subdirectories in the directory.
P (Parental)	Lets the user set trustee rights and maximum rights masks for the directory and its subdirectories.
M (Modify)	Lets the user modify the attributes of files in the directory (file attributes are discussed later in this section). M permission also allows the user to rename files and subdirectories in this directory.




	NOTE: For a user to be able to read or write to a file, the user must also have O permission in addition to R or W permission. A user must be able to open a file to be able to read it or write to it.

In addition to setting trustee rights for individual users, the supervisor can also set the maximum rights mask for each directory. The maximum rights mask controls what all users can do with the files in the directory. The rights the supervisor sets in the maximum rights mask come from those listed here, just as the trustee rights given to each user.

For a user to perform a certain action to a file, that user (or a group to which the user belongs) must have the necessary trustee rights for that directory, and the directory's maximum rights mask must allow the action. The rights that appear in both the user's trustee rights and the maximum rights mask are the user's effective rights, and they define what the user can actually do with the directory and its files. For example, suppose annakn is given SRWO trustee rights for a directory, and the directory's maximum rights mask includes only SC. In this case, annakn would have effective rights of S for the directory, because this is the only right that appears in both lists.

There is a final level to file security in NetWare 286. Each file is assigned attributes, which further control how it can be used. Each file in a directory can have its attributes set differently. There are many different attributes files can have, and several of them affect file access.

NetWare 386

File access works the same in NetWare 386 as it did in NetWare 286, with the exceptions detailed here.

The types of access rights you can assign are different. The complete set of NetWare 386 access rights (including some which are the same as those in NetWare 286) are shown in the following table.

Access Rights	Description
R (Read)	Lets a user open and read a file.
W (Write)	Lets a user open and write to a file.
C (Create)	Lets a user create new files and subdirectories.
E (Erase)	Takes the place of the NetWare 286 D (Delete) right, and lets the user delete files and subdirectories.
F (File Scan)	Lets the user list the files and subdirectories in this directory.
A (Access Control)	Lets the user modify trustee rights and the inherited rights mask for files and subdirectories.
S (Supervisor)	Lets the user have all rights to the directory or file, overriding inherited rights masks on the directory or file. The user can also grant supervisor rights for this directory or file to other users.
M (Modify)	Lets the user change the name and attributes of the directory or file.

You can assign users different trustee rights for each file in a directory.

You can set rights masks differently for each file in a directory; and these rights masks are called inherited rights masks instead of maximum rights masks. They also work a little differently.

The inherited rights mask of a file or directory affects only users who have not been assigned trustee rights for that file or directory. If a user has been assigned trustee rights for a particular file or directory, those trustee rights are the user's effective rights—the inherited rights mask doesn't matter.

However, if a user doesn't have trustee rights for a file or directory, the user's effective rights are the rights that appear in both the user's effective rights for the parent directory and the file or directory's inherited rights mask.

The following illustration shows how this works. Suppose alexsm has been assigned trustee rights of RWCF for the DATA1993 directory, but has not been assigned trustee rights for JANUARY. The effective rights of alexsm for DATA1993 are RWCF, no matter what the inherited rights mask of DATA1993 is. However, his effective rights for JANUARY are the rights that appear in both the effective rights for DATA1993 (RWCF), and the rights in the inherited rights mask for JANUARY.

Figure A-2 Title not available (NetWare 386)

LAN Manager

LAN Manager file security works much the same as NetWare security except that there are no rights masks for directories or files. You grant permissions to users, and permissions work the same as NetWare trustee rights. And because there are no rights masks, the permissions you grant to users are the users' effective rights.

With LAN Manager, as with NetWare 386, you can assign permissions differently for each file.

The set of permissions you can grant to LAN Manager users is slightly different than those available in NetWare:

Permissions	Description
R (Read)	Lets the user open and read a file. If the file is a program, the user can also run it.
W (Write)	Lets the user open and write to a file, changing its contents.
C (Create)	Lets the user create files and subdirectories.
D (Delete)	Lets the user delete files and subdirectories.
X (Execute)	Lets the user run a program, but not read it or copy it. Unlike the NetWare file attribute, you can remove this permission from a file after you set it.
A (Change Attributes)	Lets the user change the file flags. File flags are similar to NetWare's file attributes.
P (Change Permissions)	Lets the user grant permissions for the file or directory to other users.
Y (Yes)	Serves as a shortcut to RWCDA permissions. When you give a user Y permission, you are granting RWCDA permissions.
N (No or None)	Prevents a user from using the file or directory in any way. Usually, you can prevent a user from accessing a file or directory simply by not giving the user any permissions to it; however, you must use N permission to prevent a specific user from accessing a file or directory while granting access to the file or directory to a group the user belongs to. For example, suppose terryn is a member of the group accountants. To let all members of accountants except terryn read a file, you can grant accountants R permission to the file but give terryn N permission to it.

Y permission is equivalent to RWCDA permissions, and X permission is a subset of R permission; a user with R permission can read, copy and execute a program, but a user with X permission can only execute it. (Because X is a subset of R, when you grant a user R permission, LAN Manager also shows the user as having X permission).

LAN Manager also has file flags, similar to NetWare's file attributes. As in NetWare, file flags take precedence over permissions; if you grant a user W (Write) permission for a file, but the file has the Read-Only flag set, the user cannot write to the file.

If the LAN Manager server's operating system (such as the UNIX operating system) has its own file security then access to resources is also subject to those security restrictions. For details about the interaction of LAN Manager security with operating system security, see the LAN Manager administrative documentation.

Windows NT

Windows NT security is similar to LAN Manager file security, with the following differences.

Windows NT File Security	LAN Manager File Security
Support ownership of files and directories. Owners can grant and deny access.	No ownership concept.
Recognize local and global groups.	No local groups.
User and group permissions are cumulative. Deny access takes precedence over grant access.	Individual user permissions take precedence over groups.
File and directory permissions apply to local and network users.	Permissions only apply to network users.
Administrators may be denied access to files, directories, and other resources which they do not own (they may take ownership, however, which creates an audit trail).	Administrators have access to all resources.

The standard permissions for directories and files and their meanings are shown in the following tables, along with what individual permissions each standard permission represents. In the first column of the first table (for directory permissions), the first set of individual permissions applies to individual permissions for the directory itself, and the second set of individual permissions applies to new files subsequently created in the directory.

NTFS directory permission (individual permissions)	Meaning
No Access (None) (None)	User cannot access the directory in any way, even if the user is a member of a group that has been granted access to the directory.
List (RX) (Not Specified)	User can only list the files and subdirectories in this directory and change to a subdirectory of this directory. User cannot access new files created in this directory.
Read (RX) (RX)	User can read the contents of files in this directory and run applications in the directory.

NTFS directory permission (individual permissions)	Meaning
Add (WX) (Not Specified)	User can add files to the directory but cannot read the contents of current files or change them.
Add & Read (RWX) (RX)	User can add files to the directory and read current files but cannot change files.
Change (RWXD) (RWXD)	Use can read and add files and change the contents of current files.
Full Control (All) (All)	User can read and change files, add new ones, change permissions for the directory and its files, and take ownership of the directory and its files.

NTFS file permission (individual permissions)	Meaning
No Access	User cannot access the file in any way, even if the user is a member of a group that has been granted access to the file.
Read (RX)	User can read the contents of the file and run it if it is an application.
Change (RWXD)	User can read, modify, and delete the file.
Full Control (All)	User can read, modify, delete, set permissions for, and take ownership of the file.

Auditing Resource Use

The Windows NT and LAN Manager auditing systems are similar to NetWare's accounting system, except that in LAN Manager, you can't automatically charge users for their use of resources.

With Windows NT and LAN Manager, you can audit the way network resources are used. Auditing a resource causes an entry to be written to a log file whenever the resource is used in a particular way. The entry includes information on how the resource was used, by whom, and when.

With Windows NT and LAN Manager, you can specify the types of events you want audited in great detail. Some events pertain to a server or the whole network, while others are specific to each file and directory shared on the server. You can specify auditing differently for each file. For example, for one file you could audit only failed deletion attempts, and for another file audit both successful and failed attempts to change permissions. With Windows NT and LAN Manager, the server and network events you can audit include the following:

Successful and failed attempts to log on to the network
Successful and failed attempts to begin using any resources on a particular server
Successful and failed attempts to use a particular resource
Changes to the user accounts database

With Windows NT, you can also audit:

Logoff attempts and breaking network connections
Use of users rights
Security policy changes
Restart, shutdown and audit log maintenance
Process tracking

With LAN Manager, for each shared file and directory, you can audit failed and successful attempts to do the following:

Open the file
Write to the file
Delete the file
Change the permissions for the file

With Windows NT, you can audit successful and failed attempts of the following types of directory access:

Displaying names of files in the directory
Displaying directory attributes
Changing directory attributes
Creating subdirectories and files
Going to the directory's subdirectories
Displaying the directory's owner and permissions
Deleting the directory
Changing directory permissions
Changing directory ownership

You can audit successful and failed attempts of the following types of file access:

Displaying the file's data
Displaying the file attributes
Displaying the file's owner and permissions
Changing the file
Changing file attributes
Running the file
Deleting the file
Changing the file's owner or permissions