To make Windows 2000 network resources available to heterogeneous clients, you must be sure that only authorized users access those resources. The methods for making resources available to heterogeneous clients will depend on which operating system the clients use.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
Windows 2000 supports resource access for Macintosh clients through Microsoft's File Services for Macintosh and Print Services for Macintosh. These services allow Macintosh clients to securely access resources stored on Windows 2000–based servers without installing additional software on the Macintosh clients.
NOTE
For the highest level of security, install the MS-UAM on each Macintosh client to allow 14-character encrypted passwords for authentication.
The File Services for Macintosh service in Windows 2000 provides user access to Macintosh clients. Macintosh clients are able to connect to the Windows 2000–based server using either AppleTalk Phase 2 protocol or, if AppleShare client version 3.7 or later is installed on the Macintosh clients, Apple Filing Protocol (AFP) over TCP/IP.
Windows 2000 allows the Macintosh clients to access the server by using Mac-accessible volumes that are predefined at the Windows 2000 server. The Mac-accessible volume is an entry point to an NTFS volume on a Windows 2000–based server. The Macintosh client can connect to the Mac-accessible volume by selecting the volume in the Macintosh Chooser.
Security for Mac-accessible volumes is defined by the permissions set on the Mac-accessible volume and the NTFS permissions set on the folders and files within the Mac-accessible volume. The user's effective permissions for the Mac-accessible volume will be defined by their Active Directory user account and primary group.
Comparing Macintosh and Windows 2000 Permissions
File Services for Macintosh translates permissions between Macintosh and Windows 2000 permissions. When permissions are defined at the Macintosh client, the permissions are translated to NTFS permissions for the files stored on the Mac-accessible volume. Likewise, Macintosh permissions set on the files and folders stored in the Mac-accessible volume are translated into NTFS permissions.
- NTFS Read permissions are translated to See Files and See Folders permissions for Macintosh clients.
- NTFS Write and Delete permissions are translated to the Make Changes permission for Macintosh clients.
Macintosh permissions differ from Windows 2000 permissions because permissions are assigned only to folders and permissions can't be assigned to multiple users and groups. Macintosh permissions are assigned to three categories of users for all folders.
- Owner. The user who creates the folder.
- Primary Group. Each folder is associated with a specific Macintosh group. The group can be any global group in the domain.
- Everyone. All other users who have permissions to access the folder. This includes users connecting with Guest credentials.
AppleTalk provides no native mechanisms for securing printer access in a Macintosh network. Because of this, Macintosh clients assume that security isn't required for access to printers and don't send user credentials when printing.
You can implement print security by changing the service account associated with the MacPrint service to a specific user account rather than the default of the System account. You can then restrict access to specific printers by assigning the new service account Print permissions only to the printers accessible to Macintosh users.
When designing resource access for Macintosh clients, consider the points in Table 16.6.
Table 16.6 Securing Windows 2000 Resource Access for Macintosh Clients
To | Include the Following in Your Design |
---|---|
Allow Macintosh clients to access NTFS volumes | Install File Services for Macintosh on any servers to which Macintosh clients require access. Ensure that all Macintosh clients are running System 6.0.7 or later as their operating system. Define Mac-accessible volumes in the Computer Management console. |
Ensure the highest level of security for Macintosh users | Deploy the MS-UAM to all Macintosh clients to enable 14-character encrypted passwords. |
Restrict access to Mac-accessible volumes to authorized users | Disable guest access to the Mac-accessible volume. Configure a volume password and distribute the password only to authorized users. Define NTFS permissions on files and folders in the Mac-accessible volume to restrict access for Macintosh users. |
Blue Yonder Airlines must install File Services for Macintosh on the BYDATA server to allow Macintosh users in the Marketing department to access stories and digital photos.
Blue Yonder must establish a process that lets Microsoft clients store the stories and digital photos within the folder structure designated as the Mac-accessible volume. Define the permissions for the Mac-accessible volume to allow both Windows and Macintosh users to access the data. For the Macintosh users, create a global group to contain all the Macintosh users. To allow Macintosh computers to define permissions on the Mac-accessible volume, designate this global group as the users' primary group in Active Directory Users And Computers.
Restrict access to the AGFA film printer by creating a custom user account to act as the service account for the MacPrint service on the BYDATA server. By configuring the permissions for the AGFA film printer to assign only Print permissions to the custom user account, you limit access to the Macintosh users.
FPNW allows a Windows 2000–based server to provide secure access to file and print resources to NetWare clients using NetWare Core Protocol (NCP). FPNW emulates a NetWare 3.x server and allows NetWare clients to connect to Windows 2000 resources by using NetWare clients and utilities.
You can provide file access to NetWare clients by defining Novell volumes in the Computer Management console. Setting permissions on the NetWare volume can restrict access to authorized users. Defining NTFS permissions on folders and files within the NetWare volume also affects effective permissions. As with Windows 2000 native access, the most restrictive volume and NTFS permissions are the effective permissions for resources.
NOTE
The user account named FPNW Service Account must have Read permission for the directory that's the root of a NetWare volume.
Only user accounts that are NetWare-enabled accounts can access the NetWare volumes on the Windows 2000–based server.
All shared printers hosted by the Windows 2000–based server running FPNW are accessible to both Windows and NetWare client computers. NetWare clients use the share name defined for the printer as the queue name for the printer. You can control printer access by assigning Print permissions to groups that contain the NetWare-enabled user accounts.
NOTE
Within File and Print Services for NetWare, you can define a default queue to which NetWare clients will connect for printing.
Table 16.7 outlines the design decisions you face when securing NetWare client access to Windows 2000 resources.
Table 16.7 Securing Windows 2000 Resource Access for NetWare Clients
To | Include the Following in Your Design |
---|---|
Allow NetWare clients to access NTFS volumes | Install File and Print Services for NetWare on any servers to which NetWare clients require access Ensure that all NetWare clients have the FPNW server configured as their preferred server. Define NetWare volumes in the Computer Management console. |
Restrict which user accounts can access NetWare volumes stored on a Windows 2000–based server | Define authorized accounts to be only NetWare-enabled user accounts. Configure volume and NTFS permissions to restrict access to authorized user accounts. |
Restrict access to printer resources | Assign Windows 2000 print permissions to groups consisting of NetWare-enabled accounts. |
Blue Yonder Airlines must install FPNW on the BYDATA server to allow NetWare clients at Consolidated Messenger to connect and access data on the BYDATA server. Define a NetWare volume that contains the folders where NetWare-accessible data is stored. Set NTFS and volume permissions that limit access to authorized users.
UNIX clients can use several methods to access resources stored in a Windows network. UNIX clients can use NFS, WinSock applications, and SMB clients to access file resources on a Windows 2000–based server. By installing Print Services for UNIX, Windows 2000 can support UNIX clients using Line Printer Remote (LPR) print commands to send print jobs to Windows 2000 printers.
Services for UNIX 2.0 provides an NFS Server service that allows UNIX clients using NFS client software to access file resources. The Server for NFS provided with Services for UNIX 2.0 allows a Windows 2000–based server to provide access to UNIX NFS clients. The UNIX clients see the Windows 2000–based server as a native NFS server and connect using NFS protocols.
The UNIX client doesn't have to provide alternate credentials when connecting to Server for NFS. Instead, Services for UNIX uses the User Name Mapping console to map UNIX UIDs and GIDs to Windows 2000 user accounts and group accounts. When the UNIX client connects, the client provides a User ID and Group ID from the UNIX environment. Server for NFS uses the defined user name mappings to determine the associated Windows 2000 user and group accounts. The Windows 2000 user and group accounts are used to determine whether access should be granted to the UNIX client.
NOTE
If a mapping can't be found, the UNIX UID will be mapped to an anonymous logon account.
Once the Windows 2000 user account is identified, access to the NFS data is determined using the DACLs defined for the NFS folders.
Alternatively, you can use a WinSock application such as FTP or Telnet to access file resources. Typically, WinSock applications allow easy access to Windows 2000 resources, but authentication is generally weaker than NFS or SMB authentication. In many cases clear text authentication is used, which increases the risk of password interception.
NOTE
You can protect authentication by using either SSL (if supported by the application) or IPSec to encrypt all the data that's transmitted.
Finally, Samba and other SMB clients for UNIX allow Server Message Block (SMB) access to Windows 2000 resources. SMB clients authenticate by submitting user accounts and passwords that exist in Active Directory. Depending on the version of the SMB client software, the authentication is either presented in a clear text or NTLM transmission.
You can support print access by UNIX clients by installing Microsoft Print Services for Unix. Print Services for UNIX installs a Line Printer Daemon (LPD) service on the Windows 2000–based server that allows UNIX clients running the LPR service to send documents to the LPD service.
NOTE
The LPD service isn't set to start automatically. You must configure the startup options to start automatically to ensure that UNIX clients are still able to submit print jobs if the Windows 2000–based server hosting the LPD service is restarted.
Table 16.8 outlines the design decisions you face when allowing UNIX clients to access resources stored on a Windows 2000–based server.
Table 16.8 Securing UNIX Client Access to Windows 2000 Resources
To | Include the Following in Your Design |
---|---|
Provide NFS access to file resources by UNIX clients | Install Services for UNIX 2.0 on the Windows 2000 Server providing UNIX client access. Configure Server for NFS to provide access to UNIX NFS clients. Configure User Name Mappings to associate UNIX UIDs and GIDs to Active Directory user and group accounts. |
Provide SMB access to file resources by UNIX clients | Install Samba client software on all UNIX clients requiring SMB access to a Windows 2000 based server. |
Secure WinSock application access to Windows 2000 resources | Enable SSL or IPSec encryption of all data transmitted between the client and the server. |
Secure all file resources access by UNIX clients | Store all data accessible by UNIX clients on NTFS partitions. Configure NTFS permissions to restrict access to only authorized users. Ensure that the user accounts assigned to UNIX users are included in groups assigned access to the resources. |
Allow UNIX clients to print to Windows 2000 printers | Install Microsoft Print Services for UNIX to allow LPR connections to Windows 2000 printers Configure the LPD service to start automatically. |
Blue Yonder Airlines must install Services for UNIX 2.0 on the BYDATA server. Services for UNIX 2.0 will allows Server for NFS to be configured to allow a user at the UNIX server to connect to the BYDATA server to access statistical reports. By mapping the UID and GID of the user account used at the UNIX server to a user and group account in Active Directory, all access by the UNIX user account can be secured.
Windows 2000 provides several services that allow heterogeneous clients to authenticate and access resources stored on a Windows 2000–based server. Although different protocols are used, you can implement standard Windows 2000 security once the heterogeneous client user authenticates with the Windows 2000–based server. By defining NTFS permissions for all resources accessed by heterogeneous clients, you can ensure that only authorized users gain access to the resources.