NetWare 5.1 Administration

Chapter 3: Setting Up and Managing Network Access for Users

 

Objectives:

This chapter concerns two basic features of a network, the user object and security issues. The objectives important to this chapter are:

  1. Identify the Function of the User Object
  2. Create and Modify NDS Objects Using ConsoleOne
  3. Create and Modify User Accounts Using NetWare Administrator
  4. Identify the Types of Network Security Provided by NetWare
  5. Determine and Establish Login Security
Key Concepts:
Identify the Function of the User Object

The user object is the most basic object in NDS. Without users, there would be no need for a net. When the system administrator creates a user object, two properties must be given values:

  • the user's Login Name (ConsoleOne calls this property Name)
  • the user's Last Name (ConsoleOne calls this property the Surname field)

A third field (Unique ID) will automatically be filled in when you fill in the Name field, using ConsoleOne.

A user may be given a home directory when created. This is recommended, as a user's rights and privileges are often limited outside their home directory. A user needs a place to store files. The home directory serves this purpose.

Three utilities are available to create users in NetWare 5.1.

  • NetWare Administrator - a powerful Windows-based program, familiar to users of NetWare 4.x
  • ConsoleOne - a Java-based program, new to NetWare 5. It does not have all the functionality of NetWare Administrator yet.
  • BULKLOAD - a DOS-based utility that will read a text data file, and create users accounts based on the data. Your text does not give directions for using this utility, but it suggests that you search the documentation CD or search Novell's web site for instructions.
Create and Modify NDS Objects Using ConsoleOne

ConsoleOne is meant to be the utility that will replace NetWare Administrator. It is Java-based, so it does not need a Windows environment in which to run.

While you can read the properties of objects in ConsoleOne, you cannot make rights assignments through it.

To create a user object in ConsoleOne:

  1. Run ConsoleOne.
  2. Select or create the container that will hold the user object.
  3. On ConsoleOne's menu bar, click File | New | User.
  4. In the dialog box that appears, enter the Name and Surname for the user.
  5. Enter values in other desired fields, then click OK.
  6. ConsoleOne will then present a login screen on which you can create a password for the user.

The process to do this in NetWare Administrator is similar. The fields are named a bit differently.

Create and Modify User Accounts Using NetWare Administrator

To modify a user object, the best method is to select Details in the NetWare Administrator software. It is possible to modify the properties of several user objects at once in several ways:

  • if all the users are in one container, select the container and Details on Multiple Users
  • if all the users are associated with a template or a group, select it and proceed as above
  • if you want to modify several users who do not share another object, use Shift-Click to select a series that are listed together (contiguous), or Control-Click to select a series that are not listed together (discontiguous)

The Admin user is a special user account. It is created automatically when installing the NetWare operating system. This user gets all rights to the system. Since hackers know about this account, it may be deleted by the system administrator. BEFORE you think about deleting this account, set up another account with the same rights. DO NOT make the new account equivalent to Admin, and then delete Admin. This will cause the new account to have no rights. (In older versions of NetWare, the default account was Supervisor. It could not be deleted.) Rights are discussed in another chapter.

While Login Names need not be unique in the universe, they must be unique within a given container. Users are created inside containers, and different users who want the same login name must be created inside different containers.

Identify the Types of Network Security Provided by NetWare
Network Security comes in four varieties:
  • Login security - access to the net
  • NDS security - rights to use or modify the NDS
  • File system security - access to files and programs
  • Network printing security - rights to print, and to manage printing

This chapter only discusses Login security.

Determine and Establish Login Security

Login Security is the first security layer a user encounters. The flow chart of events that happen when a user logs in (on page 3-30) illustrates the multiple decisions made about the user by the security system. Consider the decision points:

  • Is the user name valid?
  • Is the user allowed to log in here and now?
  • Is there a password for this user?
  • Is the password entered correctly?
The second point is expressed in the book as "account restrictions". This is a broad term that covers the bulleted items on page 3-31. Some of them need explanation:
  • Account Balance refers to charges for time logged in. This is not often used in company settings.
  • Connections refers to the addresses a user may log in from and whether multiple logins are allowed
  • An account becomes Disabled (or Locked) if someone tries to log in unsuccessfully. The system administrator must Enable the account for it to be used again.
  • Expiration dates may be set for accounts, typically if the user is a temporary contract employee.
  • The Password may or may not be required, may be required to contain 5 or more characters, and may be set to expire as often as the system administrator desires.
  • Time refers to the hours of the day, each day of the week that a user is allowed to be in the system. Each hour in a twenty four hour day, for each day of the week may be allowed or blocked separately.

Intruder Limits is a property of the User object. It is set for the number of times someone tries to log in as that user, unsuccessfully, in a row. This means that if someone tries to log in as you, and fails the specified number of times, the account is disabled by the system, and the system administrator must unlock it before it can be used again. (Actually, you can also set it to unlock itself after a specified number of minutes. This presumes that the hacker will just go away after a while.)

Authentication is an internal process that provides more security against determined hackers. Examine the list on page 3-33. It works because when a user logs in, the user is assigned a unique identifier that includes their actual workstation, the current time, and their password. Any request from the user in that work session is tagged with that identifier, so that the system can distinguish between a request that is legal and one that may be sent by a hacker.