When designing access to resources stored in heterogeneous networks by Microsoft clients, you can provide secure access by using one of two methods: native clients or gateway services.
The native clients method requires that additional client software be loaded at the Microsoft clients. The client software allows the Microsoft client to make native connections to the heterogeneous server hosting the data.
The gateway services method requires that client software be loaded on a single gateway computer. The gateway then publishes resources from the heterogeneous network so that Microsoft clients can access the data through the gateway.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
Many networks use NetWare servers for file and print services. You can provide Windows 2000 Professional–based computers with access to NetWare resources by installing Client Services for NetWare (CSNW) or by installing Novell Client v4.8 for Windows NT/2000 from Novell NetWare, as shown in Figure 16.5.
Figure 16.5 Windows 2000 Professional–based computers accessing NetWare resources with NetWare client software
Both clients require a user account in the NetWare environment that allows the user to authenticate with the NetWare environment.
CSNW requires the installation of the NWLink IPX/SPX Compatible transport. Novell Client v4.8 for Windows NT/2000 can use TCP/IP when connecting to NetWare 5 network resources.
Alternatively, Windows 2000 Professional–based computers can access NetWare resources through a server with GSNW installed, as shown in Figure 16.6.
Figure 16.6 Accessing NetWare resources through a server running GSNW
Both methods require planning to ensure that security of the resources is maintained when Microsoft clients access NetWare resources.
Windows 2000 Professional–based computers can access NetWare resources by installing either CSNW or the NetWare Client v4.28 for Windows NT/2000. These client services act as a redirector for Windows 2000, allowing the Windows 2000–based computer to access resources in a Novell NetWare environment.
Both clients will recognize access attempts to access NetWare resources and translate the requests to use NCP so that the NetWare servers can authenticate the user and provide access.
To use the native NetWare clients, include the following in your network security deployment plan:
Comparing NetWare Trustee Rights to NTFS Permissions
NetWare assigns trustee rights to directories and files to determine what permissions are assigned to a user or group accessing the resources. NetWare trustee rights are composed of the following individual rights:
- Read. Allows users to read data in an existing file
- Write. Allows users to add data to an existing file
- Create. Allows users to create new files or new directories
- Erase. Allows users to delete existing files or directories
- Modify. Allows users to rename or change the attributes of files or folders
- File Scan. Allows users to view the contents of a directory
- Access Control. Allows users to modify trustee rights for folders
- Supervisor. Allows users all rights to folders or files
NetWare trustee rights are similar to NTFS permissions in their deployment. Only users with Supervisor rights (similar to Full Control in a Windows 2000 environment) or Access Control (similar to the Permissions permission) can modify the security for a file or directory.
Table 16.9 lists the NetWare trustee rights that are equivalent to NTFS folder permissions in Windows 2000.
Table 16.9 Comparing NTFS Permissions with NetWare Trustee Rights
NTFS Folder Permissions NetWare Trustee Rights List Folder Contents File Scan Read Read, File Scan Write Write, Create, Modify Modify Read, Write, Create, Erase, Modify, File Scan Full Control Supervisor
Windows 2000 can also allow access to NetWare resources through a single computer running GSNW. The Windows 2000–based server running GSNW authenticates with the NetWare server using an account in NDS or the NetWare Bindery. The GSNW server then publishes NetWare resources as if they were shares on the GSNW server. Microsoft clients access the resources using SMB or Common Internet Files System (CIFS) protocols without having to connect directly to the NetWare server.
If you plan to use GSNW to provide access to NetWare resources, consider the following items when designing your security plan:
Figure 16.7 Providing different levels of access by implementing multiple GSNW servers
Use Table 16.10 to determine whether you should provide access to a NetWare environment by installing NetWare clients at the Windows 2000–based client computers or through GSNW.
Table 16.10 Designing Access to NetWare Resources
|Client Services for NetWare||User-level security is required in the NetWare environment. CSNW requires that each user has an account in the NetWare environment |
Your network allows protocols other than TCP/IP to be installed at client computers.
|Novell Client v4.8 for Windows NT/2000||All connectivity with the NetWare environment requires TCP/IP protocols. |
Administration of the Novell environment must take place from the Windows 2000 Professional based computer
Synchronization of passwords between Active Directory and NDS using MSDSS is required
|Gateway Services for NetWare||Users must have only a single account in the enterprise network. Instead of the user having two accounts, one in Active Directory and one in NDS, the gateway account will be used to access NetWare resources. |
Both Windows 2000 and NetWare administrators will manage security for NetWare resources.
Limit deployment of the IPX/SPX protocol in the Microsoft network
All members of the accounting department require the same level of access to the data stored on the NetWare server. The NetWare server is named AIRDATA1 and the data to which the accounting department requires access is stored on the DATA: volume in a folder named Accounting. The accounting department needs only to read the data stored on the NetWare server, they must not have permission to modify the data.
Blue Yonder Airlines can use GSNW to meet the security objectives for accessing data stored on the AIRDATA1 NetWare Server. To secure the access of the accounting department, include the following in your security plan:
In some mixed networks Windows 2000 users have to access resources stored on UNIX servers. As with NetWare resources, you can provide access either directly to users or through a gateway service.
To allow Windows–based computers to connect to NFS resources in a UNIX environment, Services for UNIX 2.0 provides the Client for NFS. A Windows 2000–based computer with the Client for NFS installed is able to connect to NFS shares on UNIX servers by using the same methods used to connect to Windows 2000 shares.
Client for NFS works in conjunction with User Name Mapping. When a client initially connects to the UNIX NFS server, User Name Mapping determines what UNIX UID and GID are mapped to the current Active Directory user account. User Name Mapping sends the associated UID and GID to Client for NFS, which submits the account information to the NFS server for authentication and authorization.
When planning to provide secure Windows 2000 client access to NFS shares on UNIX servers, include the following tasks in your design:
Gateway for NFS allows Windows 2000 users to connect to UNIX NFS shares without installing NFS client software at each Windows 2000–based client computer. The Windows 2000–based client computers send file requests to the Gateway for NFS server using SMBs, and the gateway performs the file access request using the NFS protocol. Because all access is through a single point to the NFS server, the gateway server can become a bottleneck.
When planning a Gateway for NFS deployment to allow access to UNIX NFS share, address the following issues in your design:
Use Table 16.11 to determine whether you should provide access to a UNIX NFS environment by installation of Client for NFS at the Windows 2000–based client computers or through Gateway for NFS.
Table 16.11 Designing Access to UNIX NFS Resources
|Use||When Your Security Design Requires|
|Client for NFS||User-level security in the UNIX environment. |
Preventing the gateway from becoming a bottleneck and limiting access to the NFS server
All security management of the NFS data to be performed at the UNIX server.
|Gateway for NFS||No need to differentiate between user accounts when accessing the NFS share. |
Security for NFS resources to be managed by both Windows 2000 and UNIX administrators.
Blue Yonder Airlines could use either Client for NFS or Gateway for NFS to provide access to the UNIX NFS server to store status reports. The requirements don't indicate whether varying levels of access are required. You must deploy the following to provide secure access to the NFS server:
When Windows 2000 clients require access to resources stored on NetWare or UNIX servers, you must decide whether to provide individual access or collective access. Whatever method you choose, ensure that Active Directory accounts are associated with UNIX UIDs and GIDs so that the connecting user doesn't have to provide additional credentials.