Early network operating systems provided just the basics in terms of network services, such as file and printer sharing. Today's network operating systems offer a far broader range of network services; some of these services are used in almost every network environment, and others are used in only a few. Despite the complexity of operating systems, the basic function and purpose of a network operating system is straightforward: to provide services to the network. The following are some of the most common of these services:
These are just a few of a large number of services that a network operating system can provide. The following sections discuss the major operating systems currently in use and how each of them deals with basic services such as authentication, security, and file and print services. Linux/UNIXProviding a summary of Linux in a few paragraphs is a difficult task. Unlike other operating systems, each of which has only a single variation, Linux is a freely distributable open source operating system that has many variants called distributions. Each of these distributions offers a slightly different approach to certain aspects of the operating system, such as installation and management utilities. Some of the most common Linux distributions include Red Hat, SuSE, Debian, and Caldera. In light of the many versions of Linux, if a command or an approach is listed in this section and is not available in the version of Linux you are using, you can look for an equivalent command or approach in your version, and you will very likely find one. Linux AuthenticationPeople who are used to working on a Windows-based system will no doubt discover that administration on a Linux system is very different. For instance, authentication information such as a list of users is kept in a text file. This file, /etc/passwd, controls who can and cannot log on to the system. For a user to log on to the system, a valid username and password combination must be supplied. Both of these pieces of information are case sensitive. Linux File and Print ServicesAlthough it is not the most obvious choice for a file and print server platform, Linux can perform the role of a file and print server admirably. In a base configuration, the volumes on a Linux server are not available to network clients. To make them available, one of two file sharing services is commonly used:
As with the other NOS discussed in this chapter, Linux has a file system permission structure that makes it possible to restrict access to files or directories. In Linux, each file or directory can be assigned a very basic set of file rights that dictates the actions that can be performed on the file. The basic rights are Read, Write, and Execute. The rights can be expressed in an alphabetic format (that is, RWX) or a numeric format (777). The rights to a file can be derived from the file ownership, from a group object, or from an "everyone" designator, which covers all users who are authenticated on the server. The Linux file permission structure might not be as sophisticated as those found in other network operating systems, but it is still more than sufficient in many environments. Printing on a Linux system occurs through a service called the Line Printer daemon. The Line Printer functionality can be accessed by any user on the network who is properly authorized and connected. In later versions of Linux, some distributions have started to provide a more enhanced printing system called the Common UNIX Printing System (CUPS). Many people, however, still prefer to use the traditional Line Printer system because of its simplicity and efficiency. Linux Application SupportIf you can think of an application that you might need, chances are that it is available for Linux in some form. As well as highly sophisticated commercial applications produced by large software companies, you can find software for the Linux platform that is written by an equally enthusiastic army of small software development companies and individuals. This means that application support for Linux is on par with, if not greater than, that in other network operating systems, such as NetWare, even if it has not yet reached the levels achieved by Windows server platforms. In a sense, all applications created for Linux are third-party applications in that Linux itself is only an operating system kernel. The applications that run on this kernel provide Linux with its functionality. On the assumption that a network server will have a number of requirements, it is common practice for the Linux kernel to be bundled with various applications and provided to customers as a package, which, as discussed earlier, is called a distribution. One aspect in which Linux certainly has the edge over other operating systems is that many Linux applications are free. Developed in the same spirit as Linux itself, and in many cases governed by the same licensing types, these free applications can seriously reduce the cost of maintaining a network server. Although it can be said that there are also free server-type applications for Windows and NetWare, there are certainly not as many of them as there are for Linux. (Note that we are referring to server applications, not applications targeted at workstation or end-user applications.) Linux SecurityConsiderable effort has been put into making Linux a very secure network operating system, and those efforts are evident. When it is configured correctly, Linux is a very secure operating system; therefore, it is often used as a company's firewall server. The following are a few highlights of Linux security:
As Linux continues to grow in popularity, it will become an increasingly common sight in server rooms of organizations of all sizes. As a network administrator, you should prepare yourself for when you encounter a Linux systemnot if. Of the platforms discussed in this chapter, UNIX and Linux have the most simplistic approach to file system security, although for most environments, this approach is more than sufficient. File permissions can be assigned to either the creator of a file or directory, a group, or the entity "everyone," which includes any authenticated user. UNIX and Linux have only three rights that can be assigned. These rights are listed in Table 7.1.
The file permissions are listed to the right of the file. The first value specifies whether the file is a file (-) or a directory (d). The next three values specify the file rights for the user, the next three for the group, and the next three for the "everyone" assignment. Mac OS X ServerMac OS is the operating system created for Apple Computer's line of personal computers. Mac OS has a long history, with the original version being released in 1984 to run on the original Macintosh computer. In 1999, Apple released its last major revision to its aging 'Classic' operating system, Mac OS 9. The successor to the Classic Mac OS was Mac OS X, a UNIX-like operating system with a friendly and familiar user interface. Successive versions of Mac OS X have a decimal numeralfor example, Mac OS X.1, X.2, and so on. Because Mac OS X uses Linux/UNIX technology, most of the previous section on Linux applies to a Mac OS X server.
Mac OS X File Systems and File and Print ServicesAs you might expect, the file systems used on Windows-based PCs is different from those used in an Apple system. Instead of the FAT or FAT32 file system, the original Mac file system was Apple's Macintosh File System (MFS). MFS was used with earlier Mac versions including Mac OS 13. Mac OS 4 introduced Apple's Hierarchical File System (HFS). HFS was the primary file system format used on the Macintosh Plus and later models, until Mac OS 8.1, when HFS was replaced by HFS Plus. HFS+ is the file system most commonly associated with Mac OS X. Like NTFS, HFS+ includes many enhanced features. HFS+ supports disk quotas, byte-range locking, finder information in metadata, support for hiding file extensions on a per-file basis, and more. One of the more publicized features of HFS+ is journaling. In a journaled file system, the system keeps a log of the hard disk's main data activity. In case of a crash or other system failure, the file system can retrieve lost data by consulting the "journal" log, restoring the system to its previous state instead of having to go through the lengthy process of rebuilding the data.
The following is a list of other file systems supported by Mac OS X:
When working in a heterogeneous network environment (one that uses different OS platforms), Mac OS X offers a wide-range of support for network file and print services supporting various file sharing protocols. A file sharing protocol is a high-level network protocol that provides the structure and language for file requests between clients and servers. It provides the commands for opening, reading, writing, and closing files across the network. Each OS has a different protocol used as the file sharing protocol. In order for a client to have access to multiple servers running different operating systems, either the client supports the file sharing protocol of each operating system or the server supports the file sharing protocol of each client. Software that adds this capability is very common and enables interoperability between Windows, Macintosh, NetWare, and UNIX platforms. The following is a list of file sharing protocols supported by Mac OS X:
Mac OS X SecurityAs with any other OS, Mac OS X has been designed to meet the security needs of today's businesses. This includes security measures in the local network and security protocols to be used on remote networks. The most fundamental level of security lies within the operating system itself. Any interaction with the system requires some form of authentication. The first level is user authentication. Mac OS X implements role-based user accounts. Three account types are available on Mac OS X client machines (machines not a part of a Windows domain or Mac OS X Server infrastructure), whose options can be configured in the Accounts area in the System Preferences application.
Being a UNIX-like operating system, Mac OS X naturally inherits a UNIX-style file system permission system. Every file and folder on the machine has three levels of access with three possible settings each. Persons familiar with UNIX, Linux, and BSD systems will feel right at home with this environment. Refer to Table 7.1 for details on Mac OS X permissions. Fortunately for those not familiar with the chmod and chown GNU commands, the MAC Finder provides an interface for managing permissions in the Get Info window. In the info window for any file or folder on the computer, there is an Ownership & Permissions area listing all possible permissions variables for the given object. The three levels of access for each file and folder are Owner, Group, and Everyone (or Other). The owner is usually the user who created the object on the system. Groups are logical collections of users on a machine. On Mac OS X Client machines, groups cannot be created or modified; however, two key groups are automatically created and maintained to assist with machine administration:
Novell NetWareOnce the network operating system of choice for all but a few networks, NetWare's popularity has declined significantly over recent years. However, NetWare is still widely used in many environments, including government and education. The latest version of NetWare, version 6.5, continues Novell's tradition of providing feature rich enterprise class network operating systems.
One of the features that really put NetWare on the networking map was Novell Directory Services (NDS). Like Microsoft's Active Directory, NDS (which has been around since 1994) is a directory services system that enables network objects to be stored in a database. This database can then be divided and distributed among different servers on the network. These processes are known as partitioning (the dividing) and replication (the distribution among servers on the network). Although introduced as NDS with NetWare 4.x, Novell has now renamed the product eDirectory and made it platform independent.
Like the other network operating systems, NetWare is a full-featured operating system that offers all the functions required by an organization, including file and print services, DNS and DHCP servers, and FTP and Web servers. NetWare also supports a wide range of third-party hardware and software. NetWare AuthenticationAs with all the other network operating systems discussed in this chapter, by default NetWare authentication is performed by using a username and password combination. As well as supplying this information, users also need to tell client software which NDS tree to authenticate to and the location of the user object in the NDS tree. NetWare also supports numerous other authentication mechanisms such as smartcards and biometrics.
After a user has been validated to the eDirectory tree, an assortment of restrictions is evaluated, including allowed logon times and station restrictions. These prevent users from logging on during restricted times and from certain workstations.
Information about the user account and what the user can and can't access is stored in the NDS. For this reason, a copy of the NDS must be available in order for the user to be able to log on. Also, each time a user attempts to access a resource, their authentication status is checked in the NDS to make sure that they are who they say they are, and that they are allowed to access the resource. One benefit of this system is that a user need only log on once in order to be permitted resources anywhere on the network. NetWare File ServicesFor many years, NetWare was considered the operating system of choice for providing file and print services. Although that might no longer be the case, many people in the IT industry still see NetWare as primarily a file and print server platform. NetWare uses a file sharing system in which all areas of the disk are available to all users who have permissions. There is no concept of share points as with Windows server operating systems, although it is possible for a user to connect to a specific folder on the server if necessary. Instead, users can map a drive to an area of a disk called a volume. Only the areas of the volume to which the user has been assigned permissions are available to that user.
Novell offers compatibility with various client operating systems by using special software drivers known as name spaces to make drives available to clients. Most commonly, the driver that mimics the file properties of Windows clients, which is called "long," is used, though NFS is also enabled by default in NetWare 6.x. File system security on NetWare is the most sophisticated of any of the popular network operating systems. In addition to a full set of file permissions, NetWare also accommodates file permission inheritance and filters to cancel out that inheritance. For those who are unfamiliar with the various features of NetWare file system security, it can all seem a bit bewildering. When you are used to it, though, you realize that it allows an extremely high level of control over files and directories.
At the core of NetWare file system security are the basic permissions. These permissions can be assigned to individual files or, where appropriate, folders. The file system rights available on a NetWare server are listed in Table 7.2.
In addition to file permission rights, on a NetWare server, files can also be assigned a range of attributes. These attributes include options such as Rename Inhibit and Delete Inhibit. NetWare Print ServicesPrinting with NetWare can be implemented in a variety of ways. Traditionally, printers were defined on the server, and print queues were associated with those printers. In NetWare 6, a feature called Novell Distributed Print Services was introduced, which enables a more dynamic printing environment to be created. NetWare 6 also introduced a new feature called iPrint, which allows users to see graphical maps of the network and point and click to access network devices. To access a printer on NetWare, clients capture the output that would normally be directed to a local printer port and send it to the network printer. In early versions of NetWare, this was a process performed by using a command-line utility, called capture. Today, the process has been hidden behind the graphical interface of the client software and is largely unnoticed. NetWare Application SupportAlthough application support will always be a topic of much debate, the reality is that third-party application support for NetWare is not nearly at the same level as it is for the Windows server platforms. NetWare would even have a hard time competing against Linux in this respect. However, many applications are available for NetWare, and you are likely to have a choice of applications for any given purpose.
Even though third-party support might be lacking, the applications included with the NetWare package provide many of the commonly desired network services. This includes a DHCP server, a DNS server, and a Web server application, as well as a range of other services. NetWare SecuritySimilar to the other network operating systems, NetWare has many security features to help secure the server and the network. The key areas of NetWare security include the following:
The NetWare console can and should be locked for security purposes. You can lock the NetWare console by using a utility called scrsaver, which you run from the server command line. With the proliferation of Microsoft Windows server platforms, you might not actually get to work with a NetWare server. But if you do, you'll find that there is good reason why NetWare was king of the network operating system hill for so long. Windows 2000 and Windows Server 2003Windows 2000 was the follow-up to the popular Windows NT 4 network operating system, and it quickly established itself as a reliable and robust operating system. Windows 2000 built on the success of its predecessor and offered many improvements and advancements. In 2003, Microsoft released the latest version of its Windows server family of productsthe aptly named Windows Server 2003. Microsoft still currently supports Windows 2000, and many organizations still have Windows 2000 Server systems deployed. Three different versions of Windows 2000 are available for server platforms: Windows 2000 Server, Advanced Server, and Datacenter Server. Windows 2000 is also available as a workstation operating system: Windows 2000 Professional. Windows 2000 Professional has the majority of features, capabilities, and strengths of Windows 2000 Server products but omits the server-type network services and capabilities. Like Windows 2000, there are also a number of versions of Windows Server 2003; Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, and Windows Server 2003 Datacenter Edition. Additionally, Windows Server 2003 Web Edition is designed as a platform for Web-based applications and services. Microsoft fully expects that you will mix and match editions of Windows Server 2003 on a network, so interoperability between the editions is seamless.
Microsoft Active DirectoryActive Directory is a directory services system, similar in nature to Novell's eDirectory, which allows network objects such as users and groups to be placed into logical areas of a database. This database can then be distributed among various serversall of which participate in the Active Directory structure. Because all the network object information is placed in a single database, albeit a distributed one, it can be used by any network application or subsystem, eliminating the need for duplicate information to be held on each server of the network. In the case of Microsoft server operating systems, Windows 2000 was the first network operating system to take this approach. Previous to this, user accounts on Windows servers were stored on each server, and special relationships called trusts had to be set up in order to allow users on one server to access resources in another. In Active Directory, trusts still exist, though their role is somewhat different. Windows servers on a network can either be domain controllers or member servers. Domain controllers are servers that have Active Directory installed and hold a copy of the Active Directory database. The term domain is used to describe a logical section of the Active Directory database. Domain controllers store user account information, so they can provide network authentication. An Active Directory domain can have several domain controllers, with each one having a read/write copy of the Active Directory database. In fact, for fault-tolerant reasons, this is a good strategy to employ.
Member servers are not involved in the authentication of network users and do not take part in the Active Directory replication process. Member servers are commonly employed as file and print servers, or with additional software, as database servers, Web servers, firewalls, or servers for other important network services such as DHCP and DNS. Windows AuthenticationThe authentication process facilitated by a Windows server allows users logging on to the network to identify themselves to the Active Directory, and subsequently to access all the network resources to which they have permissions. This means that it is necessary to log on only once to access all the resources on the network. The nature of directory services means that other applications, such as a Web server, can interface with the directory and use the same authentication information.
In addition to the standard authentication mechanism of usernames and passwords, Windows server platforms also support other authentication systems such as smartcards and biometrics. Implementation of these methods requires additional hardware and software. Windows Server File and Print ServicesThe provision of file and print sharing services is a mainstay of any network operating systems, and Windows servers are no exception. Windows server systems use a principle called shares to make areas of a disk available to users. These shares can be secured by share permissions that can be used on any file system, along with file and folder permissions if they are resident on New Technology File System (NTFS) partitions.
Both Windows 2000 Server and Windows Server 2003 use the same mechanisms to provide file system security. Rights can be assigned to users, groups, and some special entities, which include the "everyone" assignment. Table 7.3 describes the basic file permissions that can be used with NTFS on Windows Server platforms.
An added complexity to file system security on Windows platforms is that the shares created to allow users to access folders across the network can also be assigned a set of permissions. Although these permissions are quite basic (Full Control, Change, and Read), they must be considered because, when assigned, they are combined with NTFS permissions. The rule in this situation is that the most restrictive permissions assignment applies. For example, if a user connects through a share with Read permission and then tries to access a file to which he has the NTFS Full Control right, the actual permissions would be Read. The most restrictive right (in this case, the Share Read permission) overrides the other permissions assignment. In addition to the basic file sharing and permission systems, Windows server systems also include some advanced features to further enhance the file and server capabilities. These features include the following:
Windows server systems support the FAT, FAT32, and NTFS file systems. However, if you are configuring a server, you are unlikely to use FAT or FAT32 as they do not offer any file level security. Also, you need NTFS if you want to take advantage of features such as disk quotas, DFS, EFS, file compression, or auditing. You also need NTFS to support Active Directory.
Although it is possible to convert a partition formatted with FAT or FAT32, it is recommended that you format a drive as NTFS when you are creating partitions rather than converting at a later date. Drives originally formatted with NTFS have less fragmentation and better performance than those converted from FAT. If you do need to convert a partition, you can use the CONVERT utility, but the process is one way. Once you have converted from FAT, you can never go back.
Windows server provides comprehensive print server functionality. Clients are able to connect to printers across the network without the need for locally installed printer drivers. The drivers are stored on the server and downloaded when the user connects to the printer, making it easy to ensure that users are using the latest version of the correct driver. Printing on a Windows server can be controlled through a permission mechanism similar to that used in file system security, though it is less complex. Preconfigured groups also allow you to delegate the management of printing functions, which can be a good idea in large environments. All these features combine to make Windows a very solid choice as a file and print server. Windows Application SupportOf all the network operating systems discussed in this chapter, Windows server platforms have the best overall level of support by third-party applications. In addition to having superb third-party application support, Windows server operating systems come with a complete set of tools and services that satisfy almost every need a company could have from a network operating system. These applications include DNS and DHCP server services, performance-monitoring tools, Web server applications, remote access capabilities, and network monitoring tools. Windows SecurityWindows server operating systems provide a full range of security features that make for very secure network operating systems. Windows Server 2003 is considered more secure than Windows 2000, as it employs a "secure by default" strategy through which unnecessary applications, services, and security configurations are disabled by default. Administrators can then enable applications and services on an as needed basis.
Authentication security is provided on Windows servers through Kerberos version 5. File system security and encryption are provided through NTFS permissions and EFS. Network communication can be protected by a range of security and authentication protocols, though IPSec (which is discussed in Chapter 6) is most commonly used on Windows server networks to provide both encryption and authentication for network data. AppleShare IPMac OSbased computers usually can be counted on to rely on the AppleShare IP protocol (although, this is very much at the whim of a network administrator with a modern network, as both Mac OS clients and Mac OS servers support so many other protocols). When connecting Macintosh clients to a server of a different platform, it is often necessary to enable AppleShare services to provide backward compatibility to older workstations, or to provide effective security. In the classic versions of the Mac OS, AppleShare functionality was provided by a suite of extensions and control panels providing configuration and core services for this networking protocol. As always, when integrating computers using older software onto a newer network, download and install the latest versions of the AppleShare software from Apple Computer's website, and make sure that the operating system is up-to-date. Download the latest version of AppleShare from Apple's support website at http://www.apple.com/support/.Mac OS X computers should be kept up-to-date with the Software Update utility accessible via System Preferences. Although AppleShare IP provides a secure way for a user and server to exchange names and passwords, it is not an encrypted protocol. It is theoretically possible for an IP packet to be intercepted and its contents read by a third party. Therefore, care should be taken when exchanging sensitive data. Fortunately, AppleShare IP is a pure TCP/IP protocol, so it may be "tunneled" using any variety of encryption methods. The Mac OS itself supports L2TP over IPSec and PPTP, which are capable of encrypting network packets to prevent anyone from reading intercepted packets. AppleShare AuthenticationThe most important task to be accomplished between the client and server using the AppleShare protocol is authentication. How is the server to know that the user can be trusted to perform operations on files and folders? What if the user is attempting to connect to a non-Apple file server that supports a unique authentication standard? On connecting to any AppleShare service on any server, the first thing the client does is try to determine what method of authentication the server supports. Can an Apple protocol be used? What about Kerberos, or the Microsoft authentication protocol? If the server supports more than one authentication method, the user is asked to choose one. The exception is the plain-text method. If the server and client don't have compatible authentication software installed, a username and password can be exchanged via plain text, if the server has been allowed to support it. However, if any more secure method is available, the plain-text option won't be given. Because various software vendors sell servers that support AppleShare IP, clients need to be able to add authentication methods. Recent versions of AppleShare support user authentication modules, which are simple plug-ins that add authentication methods to a client. The most common plug-in is the Microsoft UAM, required to connect to Windows 2000 and 2003 servers. This software comes with the server and is also available for download from Microsoft's support website. This module allows AppleShare IP clients to use Microsoft's native Windows authentication protocol, allowing administrators to provide enhanced security by using SMB services with packet signing turned on, as well as providing secure access to Macintosh clients. |