Network Security

Network Security

Because the purpose of a network is to make accessing resources easy, network administrators and designers are constantly concerned with how to protect network resources so that unauthorized users can’t gain access to them. All commercial network operating systems provide some form of security system that limits access to shared files, printers and other resources, and the system itself. Chapter 8 describes how to secure resources in Microsoft networks. The following are the elements of network security:

Authentication. A user must provide a username and password to gain access to the system. The logon process is like a front door to the system, and the user’s credentials (a username and a password) are the key. If you have the key, you can go inside. Otherwise, you are “out” of the system.
Access permissions. Specific resources (such as files, directories, or printers) have their own access lists. The operating system checks the access list to determine whether a user has permission to access the resource. Some kind of authentication method (see preceding bullet) must accompany the access permission system—the operating system has to know the identity of the user to determine whether the user has the required permissions.
Password-protected shares. Specific resources (such as files, directories, or printers) are protected with passwords. To access the resource, the user must type the correct password. This method does not require an initial authentication procedure. The operating system does not have to verify the identity of the user—it just checks to see whether the user knows the password.

On Windows NT networks, a domain is a collection of computers with a common account database. The account database resides on special Windows NT Server systems called domain controllers. When a user logs on to the domain from a client machine (attempts to gain access to the domain), the user’s credentials are forwarded via the network to the domain controller for authentication.

Windows NT enables you to directly set access permissions for files, directories, printers, and other resources (see the following sidebar). To simplify the task of assigning access permissions to users, Windows NT uses a concept called a group. A group is a pre-defined collection of access permissions and rights assigned to a collection of users. Permissions are initially assigned to the group, and any user who becomes a member of the group assumes those permissions. Rather than configuring an individual set of permissions for each user, add the user to a group that possesses the permissions you want the user to have.

Some of the Windows NT access permissions are as follows:

Read. Grants permission to read and copy files.
Write. Grants permission to create new files.
Execute. Grants permission to execute files.
Delete. Grants permission to delete files.
No Access. Denies all access to the resource.

When using Windows NT, you can set user-level security for a file or directory only if the file directory is on a partition that uses the NTFS files system (New Technology File System or NT File System). The permissions then become part of the access control list for the file or directory. The older FAT (File Allocation Table) file system doesn’t support access permissions for file or directory objects; however, Windows NT enables you to define access permissions for a directory share whether or not the share is on a FAT or an NTFS partition. (See Chapter 8.)

A share is an object that has been made available for network access. You learn more about shares and permissions in Chapter 8.

Share permissions in NT are known as ATS (Access through Share) permissions. ATS permissions are independent of any local NTFS file or directory-level permissions (see Figure 1.7). Think of a share as an object that is distinct from the object you are sharing. The available access types for an ATS share are more limited than the access types available through directory permissions for an NTFS directory. (Your choices are No Access, Read, Change, and Full Control. NTFS directory permissions offer several other access types, such as List, Add, Add & Read, and Special Access.) If you have directly specified permissions for an NTFS file or directory and also specified ATS permissions for that file or directory through a directory share, the most restrictive permissions apply.

ATS permissions apply only to access via the network. Set ATS permissions through the Sharing tab of the directory Properties dialog box (see the following sidebar). Set file or directory-level access permissions through the Security tab of the file/directory Properties dialog box.

Windows NT Permissions

You can set permissions for a Windows NT 4.0 object (such as a file, directory, printer, drive, or network share) by using the object’s Security tab. You can find the Security tab in the Properties dialog box for the object (right-click on an icon for the object and choose Properties). Clicking on the Permissions button in the Security tab invokes a Permissions dialog box that enables you to specify the level of access you want to extend to specific groups and users.

The FAT file system doesn’t support file-level access permissions, so if your partition is formatted for the FAT file system, you won’t find a Security tab in the Properties dialog box. If you share the file or directory, however, you can still define permissions for the share. Select the Sharing tab and click on the Permissions button to invoke a Permissions dialog box similar to the one shown in Figure 1.8.

A Windows 95 machine can share its resources either through user-level permissions or through password-protected shares. If you choose to assign permissions using user-level security, you must tell Windows 95 where to obtain a list of users because Windows 95 does not support its own user account database. Requests to access the resource then are passed to a security provider (a Windows NT computer or a NetWare server) on the network.

Another major advantage of a server-based Windows NT domain over a Windows peer-to-peer workgroup is the capability to share user information. If you have nine machines in a peer-to-peer workgroup with NT Workstation, and you need to add a user to a group that has access to them all, for example, you need to go to each individual machine and create an account for the user. You then add this new user to the appropriate group on each machine. If you have eight workstations and an NT Server acting as a domain controller in a properly constructed domain, things are far easier. You create the user on the server, add the user to the proper Global group (also on the server), and add this Global group into Local groups on each machine. The user then has rights on all nine machines. You can find more on this in Chapter 8.