Lesson 5: Securing Windows 2000 User Access to Heterogeneous Networks

When designing access to resources stored in heterogeneous networks by Microsoft clients, you can provide secure access by using one of two methods: native clients or gateway services.

The native clients method requires that additional client software be loaded at the Microsoft clients. The client software allows the Microsoft client to make native connections to the heterogeneous server hosting the data.

The gateway services method requires that client software be loaded on a single gateway computer. The gateway then publishes resources from the heterogeneous network so that Microsoft clients can access the data through the gateway.


After this lesson, you will be able to

  • Design secure access to data stored on heterogeneous networks from Microsoft clients

Estimated lesson time: 30 minutes


Securing Access to NetWare Resources

Many networks use NetWare servers for file and print services. You can provide Windows 2000 Professional–based computers with access to NetWare resources by installing Client Services for NetWare (CSNW) or by installing Novell Client v4.8 for Windows NT/2000 from Novell NetWare, as shown in Figure 16.5.

click to view at full size.

Figure 16.5 Windows 2000 Professional–based computers accessing NetWare resources with NetWare client software

Both clients require a user account in the NetWare environment that allows the user to authenticate with the NetWare environment.

NOTE


CSNW requires the installation of the NWLink IPX/SPX Compatible transport. Novell Client v4.8 for Windows NT/2000 can use TCP/IP when connecting to NetWare 5 network resources.

Alternatively, Windows 2000 Professional–based computers can access NetWare resources through a server with GSNW installed, as shown in Figure 16.6.

click to view at full size.

Figure 16.6 Accessing NetWare resources through a server running GSNW

Both methods require planning to ensure that security of the resources is maintained when Microsoft clients access NetWare resources.

Providing Access to NetWare Resources by Using a Native Client

Windows 2000 Professional–based computers can access NetWare resources by installing either CSNW or the NetWare Client v4.28 for Windows NT/2000. These client services act as a redirector for Windows 2000, allowing the Windows 2000–based computer to access resources in a Novell NetWare environment.

Both clients will recognize access attempts to access NetWare resources and translate the requests to use NCP so that the NetWare servers can authenticate the user and provide access.

To use the native NetWare clients, include the following in your network security deployment plan:

  • Deploy the client software. Neither CSNW nor the NetWare Client are installed by default. Install the selected software at all clients that require access to the NetWare resources.
  • Create user accounts in the NetWare environment. Create user accounts in the NetWare Bindery (for NetWare 3.x and older networks) or in NDS for NetWare 4.x and later networks. The user will use the user account and password to authenticate with the NetWare directory.

    Comparing NetWare Trustee Rights to NTFS Permissions

    NetWare assigns trustee rights to directories and files to determine what permissions are assigned to a user or group accessing the resources. NetWare trustee rights are composed of the following individual rights:

    • Read. Allows users to read data in an existing file
    • Write. Allows users to add data to an existing file
    • Create. Allows users to create new files or new directories
    • Erase. Allows users to delete existing files or directories
    • Modify. Allows users to rename or change the attributes of files or folders
    • File Scan. Allows users to view the contents of a directory
    • Access Control. Allows users to modify trustee rights for folders
    • Supervisor. Allows users all rights to folders or files

    NetWare trustee rights are similar to NTFS permissions in their deployment. Only users with Supervisor rights (similar to Full Control in a Windows 2000 environment) or Access Control (similar to the Permissions permission) can modify the security for a file or directory.

    Table 16.9 lists the NetWare trustee rights that are equivalent to NTFS folder permissions in Windows 2000.

    Table 16.9 Comparing NTFS Permissions with NetWare Trustee Rights

    NTFS Folder PermissionsNetWare Trustee Rights
    List Folder ContentsFile Scan
    ReadRead, File Scan
    WriteWrite, Create, Modify
    ModifyRead, Write, Create, Erase, Modify, File Scan
    Full ControlSupervisor

  • Configure the NetWare client. Configure the client software to connect the user to the correct naming context in NDS or to a preferred server in a Bindery environment. The naming context indicates where the user's account is located in the NDS directory structure.
  • Implement a strategy to manage user passwords. Users now have two user accounts: one for Active Directory and one for NDS. Develop a strategy for the users to maintain the two accounts. The strategy can involve entering two separate sets of credentials or using MSDSS to synchronize passwords between NDS and Active Directory.
  • Design NetWare permissions to restrict access. Access to NetWare resources is controlled entirely through the definition of trustee rights to the NetWare volume resources.

Providing Access to NetWare Resources by Using a Gateway

Windows 2000 can also allow access to NetWare resources through a single computer running GSNW. The Windows 2000–based server running GSNW authenticates with the NetWare server using an account in NDS or the NetWare Bindery. The GSNW server then publishes NetWare resources as if they were shares on the GSNW server. Microsoft clients access the resources using SMB or Common Internet Files System (CIFS) protocols without having to connect directly to the NetWare server.

If you plan to use GSNW to provide access to NetWare resources, consider the following items when designing your security plan:

  • The user account that GSNW uses to connect to the NetWare environment must be a member of the Ntgateway group on the NetWare server. Only members of the Ntgateway group can provide gateway services to the NetWare resources.
  • All trustee rights must reference the gateway account to secure access by users connecting through GSNW. All access to the NetWare server is performed using the credentials defined for the gateway.
  • Individual users aren't identified when accessing NetWare resources through the GSNW gateway. If you require varying levels of access to NetWare resources, consider configuring multiple GSNW servers, as shown in Figure 16.7. Each GSNW server will have a unique gateway user account. As indicated in the figure, both the Gateway1 and Gateway2 accounts must be members of the Ntgateway group on the NetWare server. But you can assign different trustee rights to each gateway account.

    click to view at full size.

    Figure 16.7 Providing different levels of access by implementing multiple GSNW servers

  • Define Share permissions at the GSNW server at the maximum level of trustee rights granted to the gateway account on the NetWare server. The most restrictive Share permissions and NetWare trustee rights will be the effective permissions. Because the resources are stored on a NetWare server, defining access permissions will commonly be the duty of the NetWare administrator.
  • IPX/SPX must be run in the NetWare environment. GSNW requires that IPX/SPX be used for connecting to the NetWare server.
  • Drive letters limit the number of GSNW shares. You can connect to NetWare servers only if available drive letters exist at the GSNW server. If no drive letters are available, you can't establish further connections.

Making the Decision

Use Table 16.10 to determine whether you should provide access to a NetWare environment by installing NetWare clients at the Windows 2000–based client computers or through GSNW.

Table 16.10 Designing Access to NetWare Resources

UseWhen
Client Services for NetWareUser-level security is required in the NetWare environment. CSNW requires that each user has an account in the NetWare environment

Your network allows protocols other than TCP/IP to be installed at client computers.

Novell Client v4.8 for Windows NT/2000All connectivity with the NetWare environment requires TCP/IP protocols.

Administration of the Novell environment must take place from the Windows 2000 Professional based computer

Synchronization of passwords between Active Directory and NDS using MSDSS is required

Gateway Services for NetWareUsers must have only a single account in the enterprise network. Instead of the user having two accounts, one in Active Directory and one in NDS, the gateway account will be used to access NetWare resources.

Both Windows 2000 and NetWare administrators will manage security for NetWare resources.

Limit deployment of the IPX/SPX protocol in the Microsoft network

Applying the Decision

All members of the accounting department require the same level of access to the data stored on the NetWare server. The NetWare server is named AIRDATA1 and the data to which the accounting department requires access is stored on the DATA: volume in a folder named Accounting. The accounting department needs only to read the data stored on the NetWare server, they must not have permission to modify the data.

Blue Yonder Airlines can use GSNW to meet the security objectives for accessing data stored on the AIRDATA1 NetWare Server. To secure the access of the accounting department, include the following in your security plan:

  • Install GSNW on a server that's accessible by the accounting department.
  • Create an account for the GSNW service in NDS and make it a member of the Ntgateway group. This account will be the account that the GSNW service uses to authenticate with NetWare.
  • Assign trustee rights at the NetWare server to allow only the gateway account Read and File Scan trustee rights to the Accounting directory on the DATA volume.
  • Establish a GSNW share at the GSNW server connecting to \\AIRDATA1\DATA\Accounting.
  • Configure share permissions for the GSNW share to allow only the accounting department Read permissions. No other groups should be allowed access to the GSNW share.

Securing Access to UNIX Resources

In some mixed networks Windows 2000 users have to access resources stored on UNIX servers. As with NetWare resources, you can provide access either directly to users or through a gateway service.

Providing Access to UNIX Resources with UNIX Client Software

To allow Windows–based computers to connect to NFS resources in a UNIX environment, Services for UNIX 2.0 provides the Client for NFS. A Windows 2000–based computer with the Client for NFS installed is able to connect to NFS shares on UNIX servers by using the same methods used to connect to Windows 2000 shares.

Client for NFS works in conjunction with User Name Mapping. When a client initially connects to the UNIX NFS server, User Name Mapping determines what UNIX UID and GID are mapped to the current Active Directory user account. User Name Mapping sends the associated UID and GID to Client for NFS, which submits the account information to the NFS server for authentication and authorization.

When planning to provide secure Windows 2000 client access to NFS shares on UNIX servers, include the following tasks in your design:

  • Distribute Services for UNIX 2.0. Install the Client for NFS software from Services for UNIX 2.0 on each client computer that requires access to the NFS share.
  • Configure security at the NFS server. The NFS server must configure security to only allow access to the authorized UIDs and GIDs.
  • Define user name mappings. Deploy User Name Mapping to associate Active Directory accounts with a UID and GID in the UNIX environment. This includes defining which accounts must be mapped from Active Directory and defining which NIS server is authoritative in the UNIX environment.
  • Define what action to take when a mapping isn't defined. Within User Name Mapping, you can either define that all nonmapped accounts are mapped to a common UID and GID or you can perform no mapping. The act of not defining a mapping blocks access to the NFS share.

Providing Access to UNIX Resources by Using a Gateway

Gateway for NFS allows Windows 2000 users to connect to UNIX NFS shares without installing NFS client software at each Windows 2000–based client computer. The Windows 2000–based client computers send file requests to the Gateway for NFS server using SMBs, and the gateway performs the file access request using the NFS protocol. Because all access is through a single point to the NFS server, the gateway server can become a bottleneck.

When planning a Gateway for NFS deployment to allow access to UNIX NFS share, address the following issues in your design:

  • Define what account will be used by the Gateway for NFS service. The account will be used to authenticate all access to the UNIX NFS share.
  • Define a user account mapping for the gateway account. Deploy User Name Mapping to map the gateway account to a UNIX UID and GID for authenticating with the NFS server.
  • Define security at the UNIX NFS server. Define security at the UNIX NFS server to avoid providing excessive permissions to the gateway account.
  • Limit which users can access the gateway. Share permissions for the gateway should limit access to authorized users. Ensure that the permissions are equivalent to the UNIX permissions so that access control is managed at the UNIX NFS server.

Making the Decision

Use Table 16.11 to determine whether you should provide access to a UNIX NFS environment by installation of Client for NFS at the Windows 2000–based client computers or through Gateway for NFS.

Table 16.11 Designing Access to UNIX NFS Resources

UseWhen Your Security Design Requires
Client for NFSUser-level security in the UNIX environment.

Preventing the gateway from becoming a bottleneck and limiting access to the NFS server

All security management of the NFS data to be performed at the UNIX server.

Gateway for NFSNo need to differentiate between user accounts when accessing the NFS share.

Security for NFS resources to be managed by both Windows 2000 and UNIX administrators.

Applying the Decision

Blue Yonder Airlines could use either Client for NFS or Gateway for NFS to provide access to the UNIX NFS server to store status reports. The requirements don't indicate whether varying levels of access are required. You must deploy the following to provide secure access to the NFS server:

  • If Client for NFS is deployed to all Windows 2000–based client computers to provide access to the UNIX NFS share, then you should
    • Create a user name mapping for each Active Directory account that requires access to the UNIX NFS server. Each user account that requires access to the UNIX NFS server must have a user name mapping created that associates its Active Directory account with a UNIX UID and GID.
    • Configure User Name Mapping to perform only name mappings for defined user accounts. If a user account that doesn t have a mapping defined is presented, User Name Mapping won t apply a default mapping.
    • Define security at the NFS server to limit access to only authorized users.
  • If Gateway for NFS is deployed to provide Windows 2000–based client computers access to the NFS share, then you should
    • Create a user name mapping for the gateway account that requires access to the NFS server. The gateway account must have a user name mapping created that associates the Active Directory account with a UNIX UID and GID.
    • Configure User Name Mapping to only perform name mappings for defined user accounts. If a user account that doesn t have a mapping defined is presented, User Name Mapping won t apply a default mapping.
    • Define security at the NFS server that restricts access to the gateway account.
    • Define security at the gateway computer to allow only authorized users to connect to the NFS share.

Lesson Summary

When Windows 2000 clients require access to resources stored on NetWare or UNIX servers, you must decide whether to provide individual access or collective access. Whatever method you choose, ensure that Active Directory accounts are associated with UNIX UIDs and GIDs so that the connecting user doesn't have to provide additional credentials.



Microsoft Corporation - MCSE Training Kit (Exam 70-220. Designing Microsoft Windows 2000 Network Security)
MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)
ISBN: 0735611343
EAN: 2147483647
Year: 2001
Pages: 172

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net