Chapter 8 - Managing User Security
To provide security for your network resources, the Security Service (VS@servername@Servers) authenticates user logins. It ensures that users can log in from their present location and that they conform to the security restrictions set for them. As a network administrator, you can restrict the following areas of user login:
Password length and life Forced change of password when password expires Users' ability to change their passwords and user profiles Types of workstations from which users can log in Maximum number of simultaneous logins Login times Forced logout Login locations
In each of these areas, the Security Service assigns default settings for StreetTalk groups that let users access the network from any location at any time. These settings apply to all members of a group until you change them.
StreetTalk for Windows NT
StreetTalk for Windows NT supports only server-level login restrictions.
Banyan administrative programs let you control login security. This chapter explains how to use the functions in these menus to define user login security.
Banyan administrative programs provide other functions for controlling the user environment:
Managing user profiles Changing user passwords Enabling and disabling user names Deleting users Adding nicknames Changing user descriptions Changing the expiration date for user names
Login settings allow you to control where, when, and how often users can log in. In addition, you can determine whether or not users can control their own passwords and login profiles. You have three options for user login security settings:
Do not assign any settings. The Security Service assigns all users the default. See the next section, "Accepting Default Settings," for a complete description of the default settings.
Customize settings for each group. These settings become defaults for all the users in the group. You do not have to enter all the login security settings. The settings you do enter override the corresponding default settings. For those settings you do not enter, the default settings remain in effect.
Customize settings for each user. As with group settings, you do not have to enter all of the settings. The ones you enter override the corresponding group or default settings. For those you do not enter, the group or default settings remain in effect.
When you first assign specific security settings to a user, the Security service also assigns to that user any group settings or VINES default settings that you may not have overridden. The specific login settings assigned to each user override any that conflict with the group or VINES default settings.
However, the exception to the above situation occurs when group security is set to have passwords expire after a number of weeks and a new user is then created in that group without requiring to change the password on next login. When the user first logs in, the following message appears:
Your password has expired. You must specify a new one before you can login.
The user is forced to enter a new password, even though the user-specific login settings do not require changing the password on first login. If group security settings do not specify an expiration time for passwords, the user is not required to change passwords on first login.
You can combine these three options. For example, you can let the Security Service assign some settings. Then you can assign other settings to a group and still others to individuals within that group.
The next two sections describe what it means to accept the default login security settings and how you can customize them.
Accepting the default settings leaves access to your network resources open. To accept defaults, you create the StreetTalk groups and users and do not assign any security settings. When you do not assign login security settings, the Security Service enforces the default settings. Table 8-1 lists all the security settings and their defaults.
Setting | Default |
Minimum length of passwords (in characters) Password life (in number of weeks) Maximum number of simultaneous logins allowed per user Force user to change password on expiration Allow user to edit own profile Allow user to change own password Confine user logins to particular types of workstations (DOS1, OS/2, Macintosh) Confine user logins to specific days and times of the week Request user to log out or log user out forcibly if user is logged in at an unauthorized time Confine user logins to specific locations in the network (servers, server links, and workstations) 1 The DOS option includes Windows workstations. |
No minimum Never expires Unlimited No Yes Yes Allows user to log in from any type of workstation Allows logins on all days at all times Request user to log out Allows user to log in from any location on the network |
To maintain strict control over what users can do on the network, customize login security settings. The settings are applied whenever a user logs in to the network. Any changes to settings do not take effect for a user's current login session but for the next login session.
When you customize the settings for a group or user, you create a security record for that group or user. The record contains the default group settings that were in effect before you customized settings as well as the customized settings.
If you have group settings and then customize some settings for a user, the user' s login is controlled by both the group defaults and the user-specific changes you made.
The security record controls a user' s login until you delete it. Later changes to user settings affect the record and login for the selected user. However, later changes to group settings do not affect the security record or user login.
To make a change to the group apply to a user, you can apply the group changes individually to the user' s settings. Or, you can delete the user' s security settings. If you delete a user' s security settings, you delete the record. The user's login is then controlled by the current group settings.
To help plan user login security settings, your VINES Administrator's Worksheets contains a master copy of the worksheet used in the following example.
Example Customizing User Security
Group administrator John Perry sets user security for his group. Figure 8-1 shows the settings John selected for the group, three specific users in the group, and himself.
The customized settings for John and the special users override any corresponding default settings. In addition, any changes John makes later to the group settings will not affect the user-specific settings.
Accessing Security Settings Menus
From StreetTalk Explorer:
1. In the right pane, right-click the user or group whose security setting you want to modify, and select Properties from the shortcut menu. The property sheet appears.
2. Click the Password, Login Restriction, or Login Times tab.
Note: To access the security settings menu for a group, right-click the group in the right or left pane and select Properties from the shortcut menu.
From the System Prompt:
To perform security management tasks, use the MGROUP and MUSER programs.
To access either program:
1. Enter MGROUP or MUSER.
2. Choose the name of the group or user whose security settings you want to modify.
For a shortcut, enter MGROUP groupname or MUSER username at the system prompt. For groupname, enter the StreetTalk name of the group you want to manage, and for username, enter the StreetTalk name of the user you want to manage.
3. At the next menu, choose either MANAGE security for group (MGROUP), or SECURITY settings (MUSER).
4. When the Security Settings menu appears, choose the appropriate option for the security settings you want to modify.
The Security Settings menus display the StreetTalk name of the group or user whose security settings you are managing. In the Security Settings menu for a user, a field called Current Security Settings displays which category of settings are in effect:
User-specific Group None (the Security Service defaults)
In the MUSER menu shown above, user-specific settings are in effect.
The next several sections describe how to use each of the options in the Security Settings menus. For the most part, these sections are in the order in which the options appear on the menus. However, to help you understand the effects of specifying login times on logout settings, the section on specifying login times precedes the section on specifying logout settings.
The Manage Password Security option lets you assign settings that control user passwords.
If a user' s group security setting expires, the user is forced to change passwords at next login, even if the administrator did not require the user to change passwords at login time with a Banyan management program.
Macintosh
If the password of a Macintosh user expires and you have not required the user to change the password at login time, the user sees an error message, "Connection unexpectedly broken," and cannot log in to the network or mount any VINES file volume.
From StreetTalk Explorer:
1. Right-click the user or group in the left or right pane and select Properties from the shortcut menu. The property sheet appears.
2. Click the Password tab.
3. Enter the appropriate information for each field.
4. Click Apply.
See Introduction to StreetTalk Explorer for a description of StreetTalk Explorer.
From the System Prompt:
1. At the Security Settings menu, choose Manage Password Security.
2. At the Manage Password Security screen, enter the appropriate information for each field.
3. Press F10 to save the settings and return to the Security Settings menu.
The Prevent User Changes option lets you control the users' ability to change their own login profiles and passwords. To prevent users from editing their own login profiles or from changing their passwords:
From StreetTalk Explorer:
1. Right-click the user or group in the left or right pane and select Properties from the shortcut menu. The property sheet appears.
2. Click the Password tab.
3. Select Edit own login profile or Change own password, or both.
4. Click OK to save the changes.
From the System Prompt:
1. At the Security Settings menu, choose Prevent User Changes.
2. At the Prevent User Changes screen, type Y or N in the appropriate fields. Y is the default for both.
3. To save the settings and return to the Security Settings menu, press F10.
The Specify Workstation Types option lets you limit the types of workstations from which a user or group can log in. The default settings allow users to log in from any type of workstation. The DOS options include Windows workstations.
Use the DOS, OS/2, and Macintosh options to restrict a VINES user or group to a particular type of workstation.
Note: If you use a 5.xx or greater workstation to set login security for users whose StreetTalk group is on a server running VINES software, revision 4.00(5) and greater 4.xx revisions, it is important to remember that these earlier releases of VINES recognize only PCs (DOS, Windows, and OS/2) and Macintosh workstations. Anything you set for DOS users also affects OS/2 users.
To change the workstation types from which a user connected to a native VINES server can log in:
From StreetTalk Explorer:
1. Right-click the user or group in the left or right pane and select Properties from the shortcut menu. The property sheet appears.
2. Click the Login Restrictions tab.
3. In the Workstations Type area, select the DOS, OS/2, or Macintosh workstation checkbox.
4. Click OK.
See Introduction to StreetTalk Explorer for a description of StreetTalk Explorer.
From the System Prompt:
1. Run MUSER, select a user, and display the Security Settings menu.
2. At the Security Settings menu, choose Specify Workstation Types to display the Specify Workstation Types screen.
3. At the Specify Workstation Types screen, move the cursor to the appropriate field(s) and enter Y or N as appropriate.
4. Press F10 to save your changes and return to the Security Settings menu.
The Specify Login Settings option lets you limit the number of simultaneous logins. Simultaneous logins mean that a user can log in to the network at one workstation and log in from another - without logging out at the first workstation. For example, Duncan Fraser logs in from a Macintosh, a DOS, and a Windows workstation; he has three simultaneous logins in progress.
By default users can log in from an unlimited number of workstations simultaneously. With the Specify Login Settings option, you can restrict the number of workstations from which a user can log in at one time.
Macintosh
When using the standard AppleShare login method from a Macintosh workstation (that is, through the Chooser), you can log in to several VINES file volumes. While these logins are processed as separate logins, they are treated as one login session. Therefore, if you are using a VINES product in which the number of users who can log in to a server is restricted, your Macintosh users will not use up the logins by mounting multiple file volumes.
In addition, while Macintosh users may be able to see the same file volume in more than one zone, they can mount that file volume only once.
To specify login settings, follow these steps:
From StreetTalk Explorer:
1. Right-click the user or group in the left or right pane and select Properties from the shortcut menu. The property sheet appears.
2. Click the Login Restrictions tab.
3. Select the Limit sessions checkbox. Leave the checkbox blank if you do not want to impose a limit.
4. Enter the maximum number of concurrent sessions that a user can have at one time. The number can range from 1 to 100.
5. Click OK to save the changes.
See Introduction to StreetTalk Explorer for a description of StreetTalk Explorer.
From the System Prompt:
1. At the Security Settings menu, choose Specify Login Settings.
2. At the Specify Login Settings screen, type the number of workstations that a user can log in to at any given time. Enter U if you do not want to impose a limit.
3. You have a choice:
- To save the settings and return to the Security Settings menu, press ENTER or F10.
- To exit this screen and retain the original settings, press ESC.
The Specify Login Times option lets you control when users can access your network and thereby prevent unauthorized access during system maintenance or other important procedures. You can specify the times and days of the week a user can log in.
In the Specify Login Times screen or window, you can enter up to three time periods for each day of the week. In addition, you can enter up to three Default login time periods. For any day of the week that you do not specify any time periods, the Default login time periods are in effect.
To prevent a user from logging in on a particular day, leave both the Default field and the field for a specific day blank. For example, to prevent a user from logging in on Saturday and Sunday, leave the Default field and the fields for Saturday and Sunday blank. Enter specific times for the other days of the week.
If you leave all the fields in the screen blank, a user can log in at any time.
Note: You can specify a time range from StreetTalk Explorer graphically using 15-minute intervals.
When specifying a time range, use the 24-hour format HH:MM-HH:MM. For example, to designate a time range of 9 a.m. to 5 p.m., enter 9:00-17:00. You can designate midnight only at the beginning of a time range, and you do so by entering 0:00.
For example, to let a user log in on Monday from 5 p.m. to midnight, enter 17:00-23:59. To let a user log in on Tuesday from midnight to 3 a.m., enter 0:00-3:00 for Tuesday. The resulting login times screen reads as follows:
Monday: 17:00-23:59
Tuesday: 0:00-3:00
Intervals
The Security Service associates each beginning and ending login time with a 15-minute interval (based on the hour) and allows a login anywhere within these intervals. For example, if you specify a time range of 10:34 to 11:40, the user can actually log in any time between 10:30 and 11:45.
Using the example of 11:00, the intervals for the beginning of the time range work as follows:
If You Specify a Time Between... | The User Can Log in Starting at... |
11:00 and 11:14 | 11:00 |
11:15 and 11:29 | 11:15 |
11:30 and 11:44 | 11:30 |
11:45 and 11:59 | 11:45 |
The intervals are similar for the end time. Using an end time of 5 p.m., the end of the time range works as follows:
If You Specify an End Time Between... | The User Can Remain Logged in Until... |
17:01 and 17:15 | 17:15 |
17:16 and 17:30 | 17:30 |
17:31 and 17:45 | 17:45 |
17:46 and 18:00 | 18:00 |
In general, use time ranges that begin and end on the hour, quarter hour, half hour, or three-quarters hour to ensure maximum security.
Procedure for Specifying Login Times
From StreetTalk Explorer:
1. Right-click the user or group in the left or right pane and select Properties from the shortcut menu. The property sheet appears.
2. Click the Login Times tab. This displays a time grid that divides each day into hourly and 15-minute periods. Group members or individual users may log in during the periods highlighted in green.
3. Use the mouse to blank out any day/time slots when group members can not log in.
4 To specify how the network should respond when a user session goes beyond the log in limits, select Ask User to Log Out or Force User to Log Out.
5 Click OK to save the settings.
From the System Prompt:
1. Run MUSER, select a user, and display the Security Settings menu.
2. At the Security Settings menu, choose Specify Login Times. The Specify Login Times screen appears.
3. At the Specify Login Times screen, enter the time periods in the Default and Day fields, using the 24-hour clock format, HH:MM-HH:MM. Separate each time period with a comma.
4. Press F10 to save the settings and return to the Security Settings menu.
Example Specifying a Time Period
To log everyone off the network while you perform regular backups on Fridays at 12 noon, enter the following times next to Friday:
8:00-12:00,13:00-17:00
This setting lets users log in from 8 a.m. until 12 noon and from 1 p.m. to 5 p.m. (13:00-17:00) on Fridays.
To let the users log in on other days of the week, you also need to enter a default login time for the week. Otherwise, the users can log in only on Fridays at the times specified. In the Default field, enter the following time period:
8:00-17:00
If a conflict exists, the times assigned to specific days override default times. Using the above example, the default time is in effect every day except Friday. On Fridays, users cannot log in between 12:00 and 13:00.
The Specify Logout Settings option lets you specify automatic, forced logout. Forced logout occurs when the Security Service detects that a user is logged in at an unauthorized time. If you do not specify forced logout with this option, a user can remain logged in at an unauthorized time.
Other ways that a user can be forcibly logged out include:
LOGINMODE [ABORT] command Expiration of user account MLOGOUT command
The LOGINMODE [ABORT] command prevents a user from logging in if a particular service specified in the user profile is not available. To use this command most effectively, you should also prevent users from changing their own profiles. See the Command Reference for information on using the LOGINMODE ABORT command.
If a user's account expires while the user is logged in, the Security Service forcibly logs the user out as long as you configure forced logout in the Specify Logout Settings screen. To set expiration dates for user accounts, use the CHANGE expiration date function in the Manage a User menu.
Forcing Logout by Specifying Logout Settings
By default, a user logged in at an unauthorized time is requested to log out but is not forced out of the network. With the Specify Logout Settings option, you can choose to log the user out forcibly.
If you choose to request the user to log out and the user disregards the request to log out, the user remains logged in.
If a user disregards the request, you can use the MLOGOUT command as described in the section, "Logging Out Users from the DOS Prompt."
Time Ranges and Logout Settings
The Security Service checks every 15 minutes for user login violations. When you specify forced logout, the user is logged out of the network according to the intervals associated with the end time of the range. This means that a user is logged out within 1 to 28 minutes of the end of the allowed time period. Exactly when the user is forced out depends on the exact timing of the Security Service checks. For example, if the end of the time range is 17:01, the user can remain logged in until 17:15. If the Security Service checks logins at 17:14, the user is still legally logged in. That user is allowed to remain logged in until 17:29, when the Security Service next checks for login violations.
Macintosh Users and Logout Settings
Macintosh users log in to VINES networks through both the Chooser and a special VINES login. When you specify forced logout for Macintosh users, all logins (mounting VINES file volumes and special VINES login) are ended.
If Macintosh users log in through the Chooser (AppleShare login) to VINES servers and you do not specify forced logout, the users do not see a message from the VINES Security service requesting them to log out. However, the AFP service records the access violation in its service log.
If, however, you specify forced logout for a Macintosh user, any Macintosh user who stays logged in beyond the time allowed is forcibly logged out of the network within 1 to 28 minutes of the specified end time. Exactly when the user is forced out depends on the timing of the Security Service checks, the time at the end of the range, and its associated interval, as described above.
Procedure for Specifying Logout Settings
To specify forced logout, perform the following steps:
From StreetTalk Explorer:
1. Right-click the user or group in the left or right pane and select Properties from the shortcut menu. The property sheet appears.
2. Click the Login Times tab.
3. Select Ask User to Log Out (default setting) or Force User to Log Out.
4. Click OK to save the settings.
From the System Prompt:
1. At the Security Settings menu, choose Specify Logout Settings.
2. At the next menu, do one of the following:
- Choose YES to have the user logged out forcibly and immediately.
- Choose NO (the default) to request the user to log out.
3. Press F10 to save the setting and return to the Security Settings menu.
You can use StreetTalk Explorer or MUSER to force a specified StreetTalk user to log out of the network. Forcing a user to log out ends all of that users's current login sessions on Windows, DOS, OS/2 or Macintosh workstations. To forcibly log out a user, your StreetTalk name must be on the AdminList of the group to which the user belongs.
From StreetTalk Explorer:
1. Open the property sheets for the user to be logged out.
2. On the Summary page, click Logout User.
From the System Prompt:
Enter:
MLOGOUT username
where username is the StreetTalk name of the user to be logged out.
If your StreetTalk name is not on the AdminList of the user' s group, you see the following error message:
VAN1831 - Only an administrator of the group can log out this user.
If the user is not logged in, you see the following error message:
VAN1832 - The user is not logged in.
Example Forcing Logout
Before performing a complete manual backup, you want all the users to log out. To notify all users, use Intelligent Messaging mail or the SEND command. However, when you are ready to begin the backup, one user, Duncan Fraser@Sales@WCTUS, is still logged in. To log Duncan out forcibly, enter at the DOS command line:
MLOGOUT Duncan Fraser@Sales@WCTUS
All of Duncan's login sessions are ended.
Users can access a network over LAN segments and wide-area network connections. You may want to grant certain users access but prevent unauthorized individuals from accessing particular servers on your network. By coordinating login locations with server administrators, you can protect your servers from unauthorized access.
You can restrict login locations to specific VINES servers, specific links on those servers, and specific workstation addresses on the network. You can specify up to ten locations, which can be a combination of server-level, link-level, and workstation-level restrictions. The term link in link-level refers to any asynchronous line or LAN segment attached to a neighboring server.
StreetTalk for Windows NT
StreetTalk for Windows NT supports only server-level login restrictions.
When you add any type of login location restrictions, the user can log in only from those locations you specify. Not adding login locations lets users log in from any workstation in the network.
The Specify Login Locations command in the Security Settings menu lets you limit user login locations. Before using this command, however, you need to gather location information.
Macintosh
The Login Locations dialog box and Login Locations menu do not apply to Macintosh workstations. It is the only Security Settings option that does not apply to Macintosh workstations.
Gathering Location Information
Before you begin adding login locations for users, you need location information. This information includes the following items:
Server name Slot numbers of the server links Hexadecimal addresses of the workstations
The Login Locations menu provides a list of server names and a list of slot numbers. The VINES Network and Systems Management program can help you locate the hexadecimal addresses of workstations.
The workstation address is the link-level node address of the workstation and cannot be validated when you enter it in the appropriate Login Locations menu. You must determine this address and specify it only if it is relevant for the LAN type.
To locate the workstation addresses, use the Run Network Management option at the server console of a native VINES server. Alternatively, if you have the VNSM option (or the SNM option for a StreetTalk for Windows NT server), you can use StreetTalk Explorer or the MNET program.
StreetTalk for Windows NT
StreetTalk for Windows NT supports only server-level login restrictions.
In addition, while Macintosh users may be able to see the same file volume in more than one zone, they can mount that file volume only once.
To Locate Workstation Addresses
Use one of the following methods to determine the physical address of a workstation.
From StreetTalk Explorer:
1. Right-click a neighbor server and select Communications from the shortcut menu.
2. Click the Neighbors tab. Workstations are identified as Clients and are listed by the communications interface or port through which the workstations are connected to the server. The workstation's network ID matches that of its routing server.
3. Record the address information or print the screen.
From the System Prompt:
1. Display the Network Summary menu in one of two ways:
- Enter MNET servername, where servername is the name of neighbor server. If you do not specify a server name, you are prompted to choose from a list of available servers. You may choose more than one server at a time.
- From the server console of a native VINES server, choose Run Network Management. If you have the VNSM option, choose the server name from the list of available servers. Otherwise, the VINES Network Summary appears for the server at which you are working.
2. When the Network Summary menu appears, choose SHOW topology information.
3. At the Topology Information menu, choose VINES neighbors. The workstation addresses are listed by the communications interface or port through which the workstations are connected to the server. DOS and Windows workstations are identified as "PC" in this screen. In addition, the workstation' s network ID matches that of its routing server.
4. For details on the SHOW topology and VINES neighbors menus, see Monitoring and Optimizing Servers.
5. Either print the screen or record the information.
The StreetTalk for Windows NT Administrator's Guide describes the STCOMMS utility, which displays information about neighbors of StreetTalk for Windows NT servers.
Accessing the Login Locations Checkbox or Menu
To access the Login Locations checkbox or menu, display the Security Settings menu and choose Modify Login Locations. The example below shows login locations for the user Bill Jones@Marketing@WCTUS.
The Login Locations menu lets you perform the following functions:
Add a Location - Add up to ten locations.
Modify a Location - Change a login location from one type to another.
Delete a Location - Remove a login location.
Macintosh
The Login Locations dialog box or menu (M* programs) does not apply to Macintosh workstations running VINES client software. It is the only Security Settings option that does not apply to them.
The next section describes how to add and modify login locations. To delete login locations, see the section "Deleting Login Locations."
Adding and Modifying Login Locations
At the Login Locations menu, you can specify up to three levels of login locations:
Server-level - Users can log in from any workstation on any link attached to a particular server.
Link-level - Users can log in from any workstation on a specific link of the server that you just named at the server level.
Workstation-level - Users can log in from specific workstations on a LAN segment.
StreetTalk for Windows NT
StreetTalk for Windows NT only supports server-level restrictions.
Whenever you add any type of login location, you must choose a server from the Available Servers menu. All login locations are associated with a specific server.
Adding Server-level Restrictions
You can set up a server-level restriction so that users can log in from any DOS, Windows, or OS/2 workstation on any link attached to a particular server.
From StreetTalk Explorer:
1. Right-click the user or group in the left or right pane and select Properties from the shortcut menu. The property sheet appears.
2. Select the Login Restrictions tab.
3. Click Add Location to display a dialog box.
3. In the Server drop-down list, select the server and click OK.
The restriction displays in the Login Locations field.
4. Click Apply.
Note: Use the same procedure to specify links. To specify a LAN address on the link, type the hexadecimal NIC address of the workstation in the Node field. See "Adding Link-level Restrictions" and "Adding Workstation-level Restrictions" for more information.
From the System Prompt:
To specify a server-level restriction:
1. Choose ADD a Location from the Login Locations menu.
2. At the Available Servers menu, choose the server to which you want to confine logins.
3. When prompted if you want to confine logins to a specific link on the server, choose:
- NO to allow logins to all links on the server. The system returns you to the Login Locations menu. If you have completed your task, press ESC to return to the Security Settings menu. If not, you can add, delete, or modify other login locations.
- YES to limit logins to a specific link on the server. Proceed to step 4 of the next section, "Adding Link-level Restrictions"
Adding Link-level Restrictions
You can set up a link-level restriction so that users can log in from any workstation on a specific link attached to a specific server. You choose the link to which you want to confine a user's logins at the Available Links menu.
The information on the Available Links screen is described as follows:
Slot-line - Identifies the LAN card by the slot number/line number combination in the format:
slot number-0
where slot number is the number of the slot in which the LAN card is installed.
For asynchronous lines, the slot number/line number combination appears in the format:
slotnumber-linenumber
where slotnumber is the number of the slot in which the line' s serial communications card is installed, and linenumber is the line' s number on the card. The slot number/line number combination indicates the line' s assignment.
Type - Displays the link type for each link on the menu. For LAN segments, the type of LAN card appears (for example, an Ethernet card may have 3Com® EtherLink® II). For asynchronous lines, "Asynch" appears.
To specify a link-level restriction from the system prompt, perform the following steps:
1. Choose ADD a Location from the Login Locations menu.
2. At the Available Servers menu, choose the server connected to the link to which you want to confine logins.
3. When prompted if you want to confine logins to a specific link on the server, choose YES.
The Available Links menu for the selected server appears. This menu displays all the LAN segments connected to that server.
4. At the Available Links menu, choose a link to which you want to confine logins.
5. When the system returns you to the Login Locations menu, you can add, delete, or modify other login locations, or you can press ESC to return to the Security Settings menu.
Adding Workstation-level Restrictions
You can set up a workstation-level restriction so that users can log in only from specific workstations on a LAN segment. You can set up only one workstation-level restriction at a time.
Before you begin, be sure you have retrieved the address of the workstation to which you want to restrict login. To retrieve this information, use the MNET program as described in the section, "Gathering Location Information."
Note: The address you need is the link-level node address of the workstation and cannot be validated when you enter it in the appropriate Login Locations menu. You must determine this address and specify it only if it is relevant for the LAN type.
To specify workstation-level restrictions from the system prompt:
1. From the Login Locations menu, choose ADD a Location.
2. At the Available Servers menu, choose the server associated with the link on which the specific workstation resides to confine logins to that workstation.
3. When prompted if you want to confine logins to a specific link on the server, choose YES.
The Available Links menu for the selected server appears, listing all the links on the server.
4. Choose the link on which the workstation resides.
5. When prompted if you want to confine logins to a specific workstation on the link, choose YES.
6. At the Confine Login to Node screen, enter the address of the workstation.
Workstation addresses are generally limited to 10 characters (without spaces), but you can enter the address using spaces, up to a total of 20 characters. When the system stores the address, it eliminates the spaces you enter.
For example, you could enter a workstation number in either of these ways:
- With spaces: 01 03 B6 84 A2
- Without spaces: 0103B684A2
7. When the system returns you to the Login Locations menu, you can add, delete, or modify other login locations; or you can press ESC to return to the Security Settings menu.
Modifying a Login Location
Choose a server-level, link-level, or workstation-level restriction and modify it from the Login Locations menu in the following situations:
You previously defined a server-level restriction (for example, Server1,*) but now you want to confine logins to just some of the links that Server1 is on. You previously defined a link-level restriction (for example, Server2,3-0) but now you want to allow logins to all links that Server2 is on. You previously defined a link-level restriction (for example, Server4,3-0,*) but now you want to confine logins to a single workstation on the LAN segment connected to the LAN card in slot 3 of Server4.
Procedures to Modify a Location
From StreetTalk Explorer:
1. Right-click the user or group in the left or right pane and select Properties from the shortcut menu. The property sheet appears.
2. Click the Login Restrictions tab.
3. Click Add Location to display a dialog box.
4. In the Server drop-down list, select the server.
5. To restrict the user to a specific link on the server, select the link from the Link drop-down list.
6. To restrict the user to a specific LAN address on the link, type the hexadecimal NIC address of the workstation in the Node field.
7. Click OK on the dialog box. The restriction displays in the Login Locations field.
8. Click Apply.
9. Repeat these steps to specify additional servers.
From the System Prompt:
1. From the Login Locations menu, choose MODIFY a Location.
2. Choose the login location you want to modify.
3. At the Available Servers menu, choose the appropriate server.
4. When prompted if you want to confine logins to a specific link on this server, choose:
- NO to allow logins on any link on this server. You return to the Login Locations menu.
- YES to specify a particular link. The system displays the Available Links menu. Choose a link from the Available Links menu.
5. When prompted if you want to confine logins to a specific workstation, choose:
- NO to allow logins from any workstation on the link.
- YES to restrict logins to a particular workstation on the link. Enter a workstation address, using up to 20 characters. Spaces or dashes are allowed, but the system deletes them when it stores the address.
The system returns you to the Login Locations menu.
To delete a login location, follow these steps:
From StreetTalk Explorer:
1. Right-click the user or group in the left or right pane and select Properties from the shortcut menu. The property sheet appears.
2. Click the Login Restrictions tab.
3. Select the location in the Login Locations field under NOS.
4. Click Remove Location.
5. Click Apply.
From the System Prompt:
To delete a login location for a user, follow these steps:
1. At the Login Locations menu, choose DELETE a Location.
2. Select the location you want to delete.
3. When prompted to confirm the deletion, choose YES to delete the location or NO to keep it. You return to the Login Locations menu.
To protect your network servers against unauthorized dial-in access, you can use StreetTalk Explorer or the OPERATE command to set up a user dial-in access list for each server you want to protect. No default list exists, so that anyone can dial in to a server if you do not create this list. This list should contain the names of all users who are authorized to access a server over dial-in lines.
StreetTalk for Windows NT
StreetTalk for Windows NT does not support a user dial-in access list.
When creating this list, be sure to coordinate it with any login locations settings you assign. The default settings (no user dial-in access list and no specific login locations) allow anyone to log in from anywhere. If one of the defaults is left in place, you are not completely preventing unauthorized access:
Using StreetTalk Explorer or OPERATE, you create a user dial-in access list for a server but do not limit where users can log in through MUSER or MGROUP. Any user can still log in. If you do not limit login locations for groups or users, users can log in from anywhere. Using StreetTalk Explorer, MUSER, or MGROUP, you specify that users can dial in to a specific server but you do not create a user dial-in access list for that server. Any user can still log in to that server because no dial-in access list exists.
Note that the user dial-in access list of a server takes precedence only if you specify in StreetTalk Explorer, MGROUP, or MUSER that certain users can access a specific server, and then, when creating the user dial-in access list for that server, you leave those users off the list. Those users cannot log in.
Users who can dial in to a server have access to your entire network. To prevent unauthorized access to your network, create a user dial-in access list for each server and restrict the login locations of all users.
Entries in a Dial-in Access List
You can specify three types of entries in the user dial-in access list:
StreetTalk name of an individual user StreetTalk list Pattern (using wildcard)
You can specify the StreetTalk user name to allow a user access.
For example, to allow Theresa Carbone to access your server over dial-in lines, you would specify:
Theresa Carbone@Ven@WCTES
You can specify the name of a StreetTalk list containing user names. For example, to allow all the users on the list, Dial-inList, to access a server over dial-in lines, you would specify:
Dial-inList@Sal@WCTUS
You can specify a StreetTalk pattern to allow a user access. In a pattern, you can designate only the following:
All Users in a Specific Group
*@[Group_Name]@[Organization_Name]
For example, specifying *@Ven@WCTES allows all users in group Ven@WCTES to access a server over dial-in lines.
All the Users in a Specific Organization Using the Format
*@*@[Organization_Name]
For example, specifying *@*@WCTES allows all the users in organization WCTES to access your server over dial-in lines.
Any User in the Format
*@*@*
Specifying *@*@* is not recommended; it produces the same result as not creating a user dial-in access list.
You can use a combination of these methods to specify some users individually by user name, some by list, and some by pattern.
Planning User Access
Before you set up the user dial-in access list for your server, you should obtain the names of the appropriate users, lists of users, and patterns. If you are restricting the user login locations, obtain that information. Use the User Dial-in Access Worksheet to record the names, any descriptive information, and the login locations.
Figure 8-5 shows a sample of this worksheet. A master worksheet is included in Banyan IQ.
Setting Up a User Dial-in Access List
To set up a user dial-in access list, follow these steps:
From StreetTalk Explorer:
1. Right-click a server and select Properties from the shortcut menu.
2. Click the Dial-in Access tab.
3. Click the Browse button and select a user, list, or pattern name, using your User Access Worksheet. Click Add.
4. When you have finished adding names, click Apply.
From the System Prompt:
1. Run the OPERATE program. If you did not specify a server name, choose the appropriate one from the menu that appears.
2. From the Operate a Server menu, select RESTRICT Access.
3. From the Restrict Access menu, select Restrict Dial-in Users.
4. At the Restrict Dial-in Users screen, enter the user, list, and pattern names, using your User Access Worksheet. Enter one name per line.
5. When you have completed entering the names, press F10.
If StreetTalk cannot find an entry, it displays an error message and does not accept the access list. If this happens, correct the entry or press ESC to abort the operation.
You can delete security settings for a group or for a user. When you delete user-specific security settings, you delete the security record that contains all the individual settings for a user. This deletion causes the group security settings or Security Service defaults to take effect for that user. To see what these defaults are, read the section, "Accepting Default Settings," earlier in this chapter.
Unless you specifically choose the Delete User Specific Security Settings command (M* program), the record for the user still exists. This record affects what happens when a user changes passwords.
To delete security settings, follow these steps:
From StreetTalk Explorer:
1. Right-click a user and select Properties from the shortcut menu.
2. Click the Password, Login Restrictions, or Login Times tab.
3. In the Security in Effect section, select the Group Level Security radio button and click Apply.
From the System Prompt:
1. At the Security Settings menu, choose the appropriate command for deleting security settings:
- MGROUP - Delete Security Settings for Group
- MUSER - Delete User Specific Security Settings
2. When prompted to confirm the deletion, choose YES.
Error messages from Banyan management programs can appear:
On the 25th line of a DOS workstation In the special VINES message box of a Windows workstation At the system prompt
The error code that precedes a message from the Security Service has the following format:
VANnnnn
where VAN is a prefix that identifies the Security Service and nnnn is a number that uniquely identifies an error within the system.
Example Security Service Error Messages
VAN1804 Nonce provided for authentication is invalid.
VAN1810 Requested profile command not found.
Using On-line Help for Error Messages
To access on-line help for an error message, enter the VNSERR command at the DOS prompt. The VNSERR command has the following format:
VNSERR error-code
where error-code identifies the specific service message.
For example, to access help for the message VAN1804, enter:
vnserr van1804
The van in front of the number identifies that it is a Security Service error message, and is optional.
The VNSERR command displays an explanation of the message.
To print the help text of all Security Service error messages:
1. Assign LPT1 to a network print service using the VINES SETPRINT command.
2. Enter vnserr /p:van, where /p:van identifies all Security Service error messages.
For a complete description of the VNSERR and SETPRINT commands, see the Command Reference. For a description of using the SETPRINT program, see Managing VINES Services.