Managing VINES users consists mainly of granting users access to the network and making VINES services and third-party applications available in a controlled, secure, and logical manner. You may also have to answer questions or distribute information about the way your network is set up.
This chapter explains how to add users to a Banyan network, set security settings for users, and obtain information about them after they are added. You perform these tasks after you have connected user workstations to the network.
The task of an administrator is to ensure that users can log in and that when they log in, they access the services they have been given rights to. You run the following VINES programs or use StreetTalk Explorer to perform these tasks:
MUSER adds a user to the StreetTalk database and controls user security.
MGROUP controls group security.
SETARL specifies which users can access a file or directory.
OPERATE lets you restrict dial-in users.
The file and print services also allow for security control. Chapter 9 and Chapter 10 describe file and print services, respectively.
Resources on all servers are available to users, subject only to administrator-controlled access and security. A multi-server network appears to the user as a simple, single-server network. Network resources, such as server disks for file storage, are seen as extensions of local workstation resources.
DOS
When DOS and OS/2 VINES users log in, they log in to the network rather than on to an individual server.
DOS users enter the BAN command or their AUTOEXEC.BAT file automatically executes BAN.
OS/2
OS/2 users change to the VINES directory and then enter BAN. The STARTUP.CMD file is equivalent of the DOS AUTOEXEC.BAT file. It lets users change their initial directory and it automatically executes BAN.
Macintosh
Macintosh users who want to access a file volume on a native VINES server select a zone and a file server, and enter a StreetTalk name and password to log on to that native VINES server. Then they select the file volume they want to mount on the desktop. See Figure 6-1.
If they want to run VINES programs (for example, network mail, SETARL, or a messaging program), the VINES Utilities application must be installed on their workstations. The utility program requires that users enter a name and a password to log in to the Banyan network.
Users see different screens depending on what they want to do.
To log in to the network, each DOS, Windows, and OS/2 user must have a valid StreetTalk name. You must add their unique names to the StreetTalk naming service. Chapter 3 described the format of StreetTalk names.
When adding a user, you also specify a password and create a user profile.
A StreetTalk name and password are the last requirements users must meet, once their workstations have a properly installed and configured LAN card and the required Banyan network software as described in Chapter 5.
If DOS or Windows users will be accessing a file volume on a server where Macintosh users store files, their StreetTalk names and profiles must be on a VINES 4.00 (5) or greater server.
Macintosh
The StreetTalk names of Macintosh users should reside on a server that is running VINES 5.0 or greater so that they can reliably receive messages from the VINES Messages application. Macintosh users can access files on a native VINES server if their names reside on a server that is running VINES 4.00 (5) or greater.
Note: StreetTalk for Window NT does not support Macintosh client workstations accessing Macintosh files on a StreetTalk for Windows NT server.
Therefore, when you are ready to add Macintosh users, be sure that:
You add Macintosh users only from a DOS or Windows workstation that has been upgraded to be compatible with VINES 5.0 or greater. This lets you specify which kind of workstation (DOS, Windows, OS/2, or Macintosh) users can log in to. Your login name is on the AdminList of a group residing on a 5.5x or greater server. (If you were logged in as the administrator of the server and created the group under this login, your login name is on the AdminList of the group.) The group name in a user's StreetTalk name (for example, Smith@MKT where MKT is the group name) is the name of the group that resides on the 5.5x or greater server.
Also, you must install the VINES utilities application if users want to send network messages or monitor and control how they share folders and files with other users on the network. The VINES User's Guide for Macintosh describes this program.
When you add users to the network, you provide them with user profiles. The profile determines what network services are automatically available to a user when the user logs in. Profiles are stored as binary data (associated records) in StreetTalk on Banyan servers. Use StreetTalk Explorer or run the MUSER program to create or edit profiles.
A profile contains a series of commands that set drives, paths, and default printers. Some of the commands are VINES commands (for example, SETDRIVE); others are DOS or OS/2 commands (for example, CD and DIR). When a user logs in, the commands in the profile are executed.
The commands in the profile control the contents of certain VINES menus that the user sees. They also set up the user's working resources, such as print and file services, on the network. When a user profile is executed, that user is set up to use any services that you specified in the profile. Any access rights associated with those services affect the user's access to those services.
DOS, Windows, and OS/2 users must have user profiles. If your Banyan network includes Macintosh users, update their profiles so that they can use mail and STDA.
User profiles can include conditional statements enabling a user to specify the execution of different profile commands, depending on the type of workstation from which they log in.
You can use VINES menus or any ASCII text editor to create or change profiles.
Figure 6-2 is an example of a user profile.
A profile can be a maximum of 1023 characters.
You can enter 7-bit ASCII and 8-bit multinational characters in a user profile, but multinational characters are converted to equivalent 7-bit ASCII characters. Such 8-bit characters include accents, diacritical marks (for example, a circumflex), and special language-specific characters. For example, the characters e, è, ë, é, and É, are all stored as e.
You can specify up to 26 virtual drives in profiles, but the PCCONFIG program determines the maximum number.
You can edit the profile of any user in any group that you manage, at any time. Any changes you make take effect the next time the user logs in.
You can also write the user profile of one user to a DOS file and copy the file to the profile of another user.
By default, VINES lets users edit their own profiles. You can restrict this privilege as part of the security settings for a user or a group. Then, a user cannot change the VINES or DOS commands in the profile.
The user profile in VINES is automatically executed when the user logs in to the network. It is similar to the AUTOEXEC.BAT file in DOS, but not identical. The differences are significant for planning purposes.
Differences Between User Profiles and AUTOEXEC.BAT Files
Note the following differences between the user profile and the AUTOEXEC.BAT file:
The AUTOEXEC.BAT file resides on an individual workstation diskette or hard disk. The contents of the file can vary from workstation to workstation in the network. The user profile is maintained by the StreetTalk naming service within VINES. Each user has a separate StreetTalk record. The user profile is on the network and is the same no matter where on the network a user logs in.
If you anticipate that users will be required to log in from many different types of workstations on the network, you must ensure that the profile commands do not conflict with the configuration settings of the workstations. The next sections contain some specific examples.
Logging In to Multiple Clients
If users log in to more than one type of client (DOS, Windows, OS/2, or Macintosh), you can tailor their profiles to use workstation resources more efficiently. Conditional IF statements in the profile map resources that are appropriate to the workstation or network connection (LAN or Dial-in).
For example, the command:
if work=dos
setprint lpt2 on /b:"M. Jones" /p:mktprinter@mkt@wctus
endif
specifies a print service (SETPRINT) for a user who logs into a DOS workstation but not for that user logging in to an OS/2 workstation.
Begin each entry of this file on a separate line. An entry can span more than one line as long as it does not have a carriage return. You can use upper-case or lower-case letters.
VINES executes entries in the order in which they appear. If a conflict occurs, VINES uses the last entry encountered in processing the profile.
For example, if two SETPRINT commands attempt to set the same port designator (for example, LPT1) to different print queues, VINES uses the second command.
Two hyphens or dashes in any position on a line reserves the remainder of the line for your comment. For example:
setdrive m reports@sales@wctus -- earnings
The word "earnings" after the two hyphens is a comment.
Insert comments within a user profile for your own information. VINES ignores this text when it executes the commands.
The DOS standard default drive is drive A for workstations with diskette drives and drive C for workstations with a fixed disk. You can use any Banyan network drive as the default drive.
Before changing the default drive to a network drive in the profile, you must set that drive using a SETDRIVE command. For example, if you want drive F to be the default drive and want to put the user in a directory on that drive, you must first use the SETDRIVE command to assign drive F to a VINES file service, such as:
setdrive f fsadmin@sales@wctus
F:
cd accounts
The SETDRIVE command for Windows 95 clients supports UNC names in profiles. Your workstation can connect to any network server that supports UNC naming. For example, to connect to the Banyan file service SalesReports@Marketing@WCT, enter:
setdrive g \\SalesReports@Marketing@WCT
To connect to the Lan Manager share SalesReports on server Marketing, enter:
setdrive h \\SalesReports\Marketing
Profile entries are executed in the order in which they appear. Therefore, DOS commands (for example, CD) that refer to a drive s pecifier must follow the SETDRIVE command that assigns the specifier to a file volume.
Be aware that even though profiles are stored on servers, they can confine a user's login to a specific workstation. For example, if the POSTLOGIN command with the /LOGOUT switch in a profile specifies that an executable file on a fixed disk must run and a user logs in on a workstation that does not have the file, the user is logged out automatically.
Table 6-1 lists and describes the commands that can be put in a user profile and the workstations that they control.
See the Command Reference for a description of the VINES profile commands and the workstations that they can be executed from.
Security Considerations
Some commands have implications for network security. For example, you can make use of the SETDRIVE /ROOT switch to restrict a user's working directory for a particular network drive. You can also prevent a user from deleting a mapping between a drive and a network file volume that is defined in the user's profile.
Another command that can help implement security is the IF/ENDIF command, which makes the execution of a profile command conditional on the type of workstation (DOS, Windows, OS/2, or Macintosh) that a user logs in to.
For more information on these commands, see the Command Reference.
OS/2
The user profile in an OS/2 environment does not work the same way that it does in a DOS environment. The CD and PATH commands in the user environment have no effect after the application in which they are executed exits.
You can use the following facilities to tailor the user environment in OS/2 when the user opens a session:
OS/2 CONFIG.SYS file SETDRIVE /ROOT command POSTLOGIN command For more information, see Managing Users and StreetTalk.
Macintosh
Only a few profile commands apply to Macintosh users. These include IF...ENDIF, SETMAIL, and !SETSTDA if users are running the Macintosh network Mail program. If your users log in only on Macintosh computers, they do not need IF...ENDIF commands in their profiles.
For Macintosh users you might consider creating a Sample Profile that contains the SETMAIL and !SETSTDA commands. The next section describes the Sample Profile.
VINES user profiles can include references to other profiles. This lets you write a set of commands once and then apply them to many users. You can take advantage of this feature by using the Sample Profile or creating your own template profiles.
Sample Profiles
Users within a group often need to access the same services, such as network printers and file volumes. To make creating profiles easier, VINES allows you to associate a Sample Profile with each group. The Sample Profile can set up a default VINES and DOS or VINES and OS/2 command sequence for most or all of the users in that group.
You can use the VINES Sample Profile to create a master profile for your entire group. Then, you can customize each user's profile according to the user's specific requirements.
You can include a USE command with the name of the Sample Profile in the profile of each user. When each user logs in, VINES uses the commands in the Sample Profile and any other commands in the user's profile. The example in Figure 6-2 includes a USE command that calls in a sample profile.
The commands in the Sample Profile execute as if they appear explicitly in the calling profile. You can include additional or different commands in an individual's profile to override the Sample Profile.
If you want to, you can call in any profile on the network. You are not restricted to using only the Sample Profile or one in the same group.
Note: If someone edits and saves the Sample Profile, those changes affect any users who call the Sample Profile into their own profiles at their next login. A user who is on the group AdminList can edit the sample profile.
On the first server in the network, VINES creates a Sample Profile for the first group automatically. It contains settings for any services created when the server was installed. For subsequent groups, you must create a user named Sample Profile and then add settings related to the members of the group.
The Sample Profile is a special reserved user name to which you can associate certain network settings. You cannot log in using the Sample Profile or send mail to Sample Profile, but it can be called in to any other profile.
Use Sample Profiles as much as possible. They make modifications for everyone's profiles much easier.
Template Profiles
If you find that the Sample Profile does not provide enough flexibility for your needs, you can set up other template profiles and call them into other user profiles.
If you create a template profile and add it the network, follow these guidelines:
Create template profiles for users who have appropriate descriptive names that conform to StreetTalk naming rules. Disable names of template profiles so that no one can log in as the template profiles. Do not put mail services in template profiles. If you do, the mailboxes of these users will become cluttered with messages sent to StreetTalk patterns such as *@*@Org. While user profiles can confine a user to a specified directory, they do not let you secure the network. You must do that explicitly with other VINES programs such as StreetTalk Explorer, MUSER, MGROUP, or SETARL.
Managing Users and StreetTalk describes how to create template profiles.
You can assign many security settings to users and the groups to which they belong. These settings control how users log in to the network, the times they can log in, and what they see when they log in. You can use StreetTalk Explorer or the MUSER and MGROUP programs to assign security settings for users and groups.
If you specify security settings, the settings are processed when the user logs in. Some of the settings control the login process itself, while others take effect only after the user logs in. Like the user profile, these settings are associated with the user's StreetTalk name or group and take effect at any workstation in the network.
If you require strict control over what a user can do on the network, you can provide security settings that go into effect any time that person logs in. The settings increase general system integrity and help you deal with special situations, such as vacation time or the presence of temporary employees.
The next sections provide an overview of those settings.
When you assign security settings to users, you have these options:
Accept the default settings that VINES automatically assigns all new users. Caution: If you accept VINES defaults, your network is less secure than if you change the defaults before startup. If this is unacceptable, you should plan to implement stricter security controls before the network is started.
Assign security settings to each StreetTalk group. These settings become defaults for all the users in the group. This is a simple and straightforward strategy. You do not have to enter all the security settings. The ones you enter override any that conflict with VINES default settings. For those settings that you don't enter, the VINES default settings remain in effect. Assign each user specific settings. As with group settings, you do not have to enter all of them. The ones you enter override any that conflict with group or VINES default settings. For those that you do not enter, the group or VINES default settings remain in effect.
When you assign specific settings to a user, VINES also assigns to that user any group settings that you have not overridden. From then on, the user is not affected by any changes that you make to group security settings through StreetTalk Explorer or MGROUP.
You can combine the options described above. For example, you can let VINES assign some settings, and you can assign others to a group and to individuals. Always keep in mind that individual user settings always override group settings.
The next section describes some of these settings and other ways to control what users can access.
You control what users can access on the network by using VINES security features in these ways:
Managing the passwords that protect each user's login name Restricting the user's ability to log in Disabling the user name to prevent the user logging in Forcing a user to log out Preventing users modifying their profiles Controlling the AdminLists that protect network resources Specifying access rights to file volume directories, print services, and communications with host computers Customizing the VINES Files volume (drive Z) to determine the user's access to VINES commands Creating a dial-in and internetwork access list with the OPERATE command
The sections that follow explain these VINES security features. Note that you use StreetTalk Explorer or the MUSER program to implement most of these security features. Customizing the drive Z is described in Chapter 7.
Managing Passwords
Password control features include:
Preventing users from changing their own passwords Setting a minimum length for the password Forcing users to change their passwords the next time they log in Specifying how long the password is valid Forcing users to change their passwords when they expire
When a login name has a password associated with it, only a user who knows the password can log in with that name. Password protection is especially important for the login names of administrators, who can perform any of the tasks described in this reference. However, other network users may need to protect their login names as well.
You can change a user's password at any time. When you change a password, VINES requires that you specify whether the user should be prompted to change the password the next time the user logs in. The default is NO.
You can specify a minimum length for a password, whether a user is able to change it, and whether a user must change it at periodic intervals.
Passwords can be a maximum of 15 characters on Banyan client workstations and eight characters on Macintosh computers. While a very long password is difficult to remember, you should insist that users choose passwords of at least six or seven characters if they select their own passwords.
You can assign the user an expiration date, which is the date that the user name expires. Doing so can be useful if you know that the user needs to use the network for only a short period of time.
Restricting Logins
You can restrict a user's ability to log in to the network. For example, you can state the times of day a user can log in or specify an expiration date for a password. See Figure 6-3.
One special feature allows you to restrict user logins to specific workstations and specific physical locations on the network. VINES has the following four levels of VINES login restrictions:
Workstation-type restrictions - Indicate that a user can log in from only a DOS, Windows, OS/2, or Macintosh workstation. The default setting lets the group of users log in from any type of workstation.
Server-level restrictions - Mean that a DOS, Windows, or OS/2 user can log in only from links attached to a particular server. All workstations on all LANs and serial lines attached to the server are valid login locations for the user.
Link-level restrictions - Confine DOS, Windows, or OS/2 user logins to workstations on a particular link (for example, a line or LAN) connected to a specific server.
Workstation-level restrictions - Indicate that a DOS, Windows, or OS/2 user can log in only from a specific workstation on a specific link connected to a specific server.
Server-level, link-level, and workstation-level restrictions are cumulative and apply only to DOS, Windows, or OS/2. When you run the MUSER program to specify restrictions, you can specify restrictions that include a server, a link, and a node. Only workstation-type restrictions apply to Macintosh computers.
Once you specify group or individual settings that restrict a user's login locations, that person cannot log in from anywhere else in the network.
Login restrictions do not affect users in groups for which you are not an administrator. You may want to coordinate the login restriction that you impose with other administrators at your site.
StreetTalk for Windows NT software supports only server-level restrictions.
Disabling the User Name
At any time, you can disable a user name. All information about the user remains intact, including the password, user profile, and security settings. The user cannot log in until you enable the user's name again.
Forcing a User to Log Out
You can use StreetTalk Explorer or the MLOGOUT command to log out a user on any workstation in the network.
You can also specify whether a user should be forcibly logged out if the user is logged in at an invalid time or if the user's name expires while logged in.
The Command Reference describes the MLOGOUT command.
Preventing Users from Modifying Their Profiles
You can use StreetTalk Explorer and the MUSER program to specify whether users can modify their own profiles.
Controlling AdminLists
As described in Chapter 3, VINES uses an AdminList to identify the users who have administrative privileges in each group. The list contains the StreetTalk names of those users who can perform administrative tasks within the group. Each server on the network also has an AdminList.
With VINES, no super administrator or super user can override security throughout the network.
Only administrators can modify AdminLists. To keep a user from managing network resources, exclude them from the appropriate AdminLists and keep those lists small.
Managing Users and StreetTalk describes the tasks you can perform when you belong to different lists.
Specifying Access Rights
Access rights lists (ARLs) protect file volume directories and files from unauthorized access.
Each ARL consists of the StreetTalk names of those who can use a resource. For directories and files on server disks, you set specific levels of access.
For printers and host computers, a user either has access to the resource or not. For example, to restrict access to a printer, you restrict access to a print service. You create access lists of users, operators, and administrators.
You set the initial access rights when you add a resource, such as a printer, host connection, or directory, to the network. You can modify access rights at any time.
Remember that access rights lists can include StreetTalk lists. Users can be granted the right of modifying StreetTalk lists.
You may want to exclude individuals or groups of users from having access to a service, or part of a service such as a directory or a host connection. You accomplish this by specifying access rights to the service or parts of it, as explained in later chapters about each service.
For more information on ARLs for files and directories, see Chapter 9. Chapter 10 describes how to control access to print services.
Creating Dial-in and Internetwork Access Lists
StreetTalk Explorer and the OPERATE program allow you to create dial-in and internetwork access lists for users connecting to native VINES servers. A dial-in access list contains the StreetTalk names and lists that specify who can dial in to the native VINES server. The internetwork access list controls the exchange of information between your network and other networks. It specifies the servers that are allowed to connect to this server over serial lines or TCP/IP networks, and the kinds of information that can pass between the networks to which the servers are connected.
Guest Logins on Macintosh Computers
The VINES AFP service lets you enable logins for Macintosh users who do not have a StreetTalk name. They use the Chooser to log in to VINES and can mount network file volumes on their desktops. VINES supports the Guest Login as it is under the AppleShare Guest Option.
You can enable or disable the Guest Login only for individual servers, but not for individual network file volumes.
If you plan to enable Macintosh Guest Login, be sure that you set the access rights on file volumes that you need. Guests have the same Access Privileges as the "World" category. See Chapter 9 for more information.
Getting Information About Users
You can view information about network users with StreetTalk Explorer and the MUSER program.
The StreetTalk REPORT program also provides information about the network and allows you to print out user profiles and other important data. The MSERVICE and OPERATE programs, as well as the server console, provide access to system logs of user activity on the network. Managing VINES Services provides complete information.
StreetTalk Explorer includes an optimize and audit feature that helps you keep lists, nicknames, and user names current. See Managing VINES Security for more information.
The USERS command displays the names of users who are currently logged in to VINES. It can tell you the following information about each user:
VINES revision number (for example, 7.10) Operating system (for example, DOS, Windows, OS/2, or Macintosh) Language version (for example, USA) VINES Files configuration information
If a user is logged in to more than one workstation (for example, a Windows PC and a Macintosh computer), the USERS command displays information about both login sessions.
The Command Reference describes the USERS command.
To manage users most efficiently, follow the guidelines in this list:
Set up access rights and security throughout the system. Select a scheme for assigning and managing passwords. Classify your users into general categories: for example, beginning users (having little or no experience with computers) and advanced users. For beginning users, make network access as easy and transparent as possible. Use batch files, workstation software configuration, and the user profile to set up all the programs they need.
On multi-server networks, user logins perform better if the user's group is maintained on a server with a direct LAN connection to the user's workstation. Whenever possible, add users to a group on a server to which they have a direct LAN connection. Locate a user's primary print, file, and other services on the same server as the user's StreetTalk name. Add those services to the same group as the user. Determine which users you want to confine to specific workstations or types of workstations and those who will able to log in from any workstation in the network.
Complete the tasks in this list to ensure that you have properly planned for managing users:
Assign every user a StreetTalk name and password. Modify the sample profile and associate it with groups in your organization. Create user profiles for users. Assign security settings to users.
When you finish reading this chapter, you should be familiar with these terms:
ARL (Access Rights List) - A list that specifies to what degree VINES users can access directories on network drives, the files within them, and some VINES services.
Link - A physical connection between two points on a Banyan network. You can apply link-level restrictions to prevent unauthorized access to particular points on the network.
Password - A code that VINES users type after entering their StreetTalk login name to begin a VINES session. The password protects a Banyan network from unauthorized access. Passwords are case-sensitive and must be typed exactly as specified.
User profile - Information in StreetTalk that is applied when a user logs in to a Banyan network. The VINES and DOS commands in the user profile specify the working environment for a user.
Sample Profile - A reserved StreetTalk item name. Sample Profile defines a working environment for VINES users; each group can define one Sample Profile. By mapping the Sample Profile to the profiles of any or all of a group's users, administrators can change the Sample Profile to update the working environment of those group members.
For more information on the topics discussed in this chapter, see the following books in the VINES documentation set:
VINES User's Guide for DOS and OS/2