Managing VINES Security
Chapter 1 - Securing a VINES Network
Planning VINES Security
This guide discusses how to maintain security on a network with native VINES servers. Information about controlling access to a server on an internetwork also applies to a network with StreetTalk for Windows NT servers.
In a VINES network, the network manager can maintain very strict control over security features or share the responsibilities with server administrators and end users. The choice of whether to control security centrally or to delegate responsibility should be made according to your organization's security policy.
The areas of security which you can control are as follows:
User login Server access Data protection Printer protection Access to the server console
For example, you can keep control of all access to VINES file services, or you can let end users run the SETARL program to limit access to their directories and files. Or, you may want to delegate responsibility for data and printer protection to each server administrator in the different departments within your organization.
Planning a Banyan Network provides information to help you plan security. The corresponding chapters in this book explain how to implement your plan.
Levels of VINES Users
VINES network administrators are the highest level of user; they have the most control over the servers and other network resources. Network administrators fall into two categories: server administrators and group administrators. VINES security provides two other levels of users: operators and users. The rest of this section describes these three levels.
VINES security identifies administrators by the presence of their StreetTalkTM names on administrator lists, also known as AdminLists. VINES software creates two types of administrator lists - the server AdminList and the group AdminList.
Each AdminList is a list of StreetTalk names that is created automatically when you either install VINES software on a server (AdminList@servername@Servers) or create a new group (AdminListGroup@Organization). The first name on the server AdminList is the StreetTalk user name entered during the installation of VINES software on the server. The first name on the group AdminList is the StreetTalk user name of the creator of the group.
For example, if you are logged in as Admin@Nwk@WCTUS and you create a new group, Finance@WCTUS, the name Admin@Nwk@WCTUS is the first name on the AdminList of the group Finance@WCTUS. While logged in as Admin@Nwk@WCTUS, you should add the StreetTalk names of the administrator who will create the users and services in that group to the group's AdminList.
To be able to perform administrative functions, your StreetTalk name must be on one or both of these AdminLists. Table 1-1 shows VINES administrative tasks and the AdminList membership required to perform them.
Individuals on the AdminList of a group have complete control of the print services created in that group. In addition, they have Control access to the file services created in that group, whether or not their names are on the access rights lists (ARLs) of the directories and files of that service. With Control access, they can change the ARLs to give themselves other privileges, including Search, Read, Write and Delete on directories, and Read, Write, and Execute on files. Consider carefully which StreetTalk names should be on your AdminLists.
The VINES print service provides a level of administrator between the network administrator (AdminList) and the end user, called the operator. The operator can perform a subset of administrator tasks, freeing the network administrator from daily maintenance and routine troubleshooting
The chapter on printer security, Chapter 7, describes the operator privileges and how to set up a list of operators for a print service. Before creating the list, decide who should be on the list for each print service.
After creating groups and StreetTalk names for the individuals in those groups, you can restrict user access through the Security Settings menus of MGROUP and MUSER. You can restrict where and when users can log in and how often they must change their passwords.
You can further restrict user activity by creating a user access list for print and communications services (for example, the 3270 SNA and PC Dial-in options) and by setting up access rights lists for file services.
User Login Security
On each server, the VINES Security Service authenticates user logins to provide security. It ensures that users can log in from their present location and that they are in conformance with security requirements. For example, this service forces users to change their password if you specified that they should.
You control the VINES Security Service by specifying security settings for groups or for individual users, or by accepting VINES defaults. The settings that you can specify include:
Password length and life Forced change of password when password expires Users' ability to change their passwords and user profiles Maximum number of simultaneous logins Login times Forced logout Login locations Types of workstations
If you choose to accept VINES defaults for these settings, user login security is very open. Users can log in at any time, from any location on the network, as many times as they want. They can change their passwords at any time and can edit their own user profiles.
You can change any or all of the default settings for an entire group or for individual users. Settings for a user override the settings for that user's group. For example, you would not allow the group Sal@WCTUS to edit their user profiles; however, you would allow the group's administrator, Rebecca Jablon@Sal@WCTUS, to edit her profile.
Managing Users and StreetTalk describes the VINES default settings and how to change the settings for groups and users. Chapter 3 describes how to generate reports that show the security settings for users.
Server Access Security
Access to the servers on a VINES network is open unless you restrict it. You can restrict who can log in through the VINES PC Dial-in option by creating a dial-in access list for each server. Managing Users and StreetTalk discusses this list.
In addition, you can restrict access between VINES servers on an internetwork. An internetwork is a network that includes two or more VINES servers that are connected by serial lines (including HDLC, block asynchronous, and X.25) or that includes one or more VINES servers connected by a TCP/IP or SNA network. For each VINES server on an internetwork, you can create an internetwork access list that controls which VINES servers can communicate with that server.
For dial-in access and internetwork access, there are three levels of access to a VINES server:
Unrestricted - Two networks become one. Users on one network can interact with resources on the other network, restricted only by the access rights associated with those resources. Network mail moves freely between the two networks. The StreetTalk naming information on the two networks merges.
Restricted - Two networks exchange only mail messages that are force routed. While low-level routing information is exchanged and visible through the VNSM (VINES Network and Systems Management) program, StreetTalk information is not exchanged.
Secure - Networks exchange no information. No traffic can travel between your server and other servers in other networks.
By default, the access level is unrestricted. Chapter 2 describes these three levels of access in more detail and explains how to restrict internetwork access appropriately.
Server Console Security
You can prevent unauthorized access to VINES servers and their configurations by using the server console security feature. This feature prevents unauthorized remote console access as well as direct access. The Banyan Server Operations Guide describes how to restrict access to the server console.
Access to the file services on a VINES network is controlled by access rights lists (ARLs). When you create a file service, you are automatically the owner of the root directory of the file service and have complete access to any directories and files that are created. To enable users to control access and to create subdirectories and files, you must change the access rights to the root directory and any other subdirectories you create. Chapter 4 describes the access rights lists in detail and explains how to use the SETARL program to edit them.
In addition to access rights lists, you can also use attributes, such as No Delete, to limit access to directories and files. VINES attributes encompass the attributes of the DOS FAT (File Allocation Table) and Macintosh file systems in addition to two VINES attributes, Sharing and Execute. Chapter 5 describes the attributes and how to use the SETATTR program to edit them.
To solve access problems, you can use the user access report feature. This report provides both access rights and attributes for a given directory or file. Chapter 6 describes this feature, and how to use it, in detail.
The VINES print service lets you create two access lists: one for operators and one for users. The default for the operator list is the AdminList of the group to which the print service belongs. The default for the user list is *@*@*, or all users on the network. To restrict access to network printers, you must edit the access lists of each print service. Chapter 7 explains how to edit these two lists.