Chapter 6

Every network administrator must determine which users should be granted access to specific directories and files. An equally critical task is determining who should be denied access to certain directories and files. The network administrator must strike a balance between the needs of users to access files and the need to maintain security to protect the shared files and directories from deliberate or inadvertent abuse. This is the basis for fileservers; that is, serving files. Exactly how files are secured varies somewhat from system to system.

Once a NetWare administrator understands file system security, it becomes apparent that files shared on a NetWare server can be more secure than ones on a workstation. For example, when a file exists on a NetWare server, a casual user cannot access it from the server console, which is usually the case on a workstation. When a file is on a server, the user must pass through login security and be granted access rights to use the file. .NetWare file system attributes offer the ability to prevent file changes, even when a user has the access rights to make those changes. Beyond that, a network file has the flexibility to be shared among several users, then secured from the remainder of the network users. This flexibility, combined with security, makes for a powerful file management tool. Within NetWare, there are two layers of file system security:

• trustee rights to the file system
• file system attribute security

File system rights are the basic tools for securing files and directories. Planning the file and directory rights correctly will determine whether files are accessible by the appropriate end users, and protected from all other users. You must understand basic file system security to effectively implement security.

Before a user can access a file or directory on a NetWare volume, some rights to that file must be granted to the user’s NDS object, as illustrated in Figure 6-1. Rights can be granted to users, groups, and containers, or any other object in NDS. The NDS object is considered a trustee of the file or directory when granted rights to it.

When a right is granted to a group or a container, any user who is a member of the group or who exists in that container will also receive those rights. When a right is granted to the [public] trustee, all users, whether logged in or not, will receive it. It is preferred that groups and containers, rather than individual users, be granted explicit rights, since it facilitates planning and maintenance. The rights that can be granted to access a file or directory are listed in Table 6-1.

1. If drive F: is not mapped to volume SYS, then right-click Network Neighborhood, select Novell Map Network Drive, select drive F: under Device, and type \\SERVERNAME\SYS in the Path area; then click Map.
2. Choose Start | Run, type F:\PUBLIC\WIN32\NWADMN32, and press ENTER.
3. Navigate through the tree to the desired context where the SYS Volume object exists.
4. Double-click the Volume object to expand the files below it.
5. Select the Public folder and right-click it.
6. Select Details.
7. Click the Trustees of this Directory property page button.
8. Click Add Trustee.
9. From the resulting dialog box, navigate the tree until the desired Group object is found.
10. Select the Group object and click OK. Note that when you are returned to the property page, the group has been added to the Trustees window, selected, and the Access rights check boxes are active. The Read and File Scan rights are selected by default.
11. With the Group object highlighted in the Trustees window, click the following rights under Access rights: Write, Create, and Modify.
12. Click OK.

Rights flow down the directory structure. When a user is granted a right to a directory, that right automatically flows down to the subdirectories. For example, if a user has Read and File Scan rights in SYS:PUBLIC, then the user will also have Read and File Scan rights to the WIN32 subdirectory of SYS:PUBLIC. This is called inheritance.

An Inherited Rights Filter (IRF) controls inheritance. The IRF blocks rights from flowing down the file directory structure. When a right is listed in the IRF, users can inherit it. When a right is not included in the IRF, then it is effectively blocked from being inherited. If that right is required by a user, then the user must be explicitly granted that right at that subdirectory.

NetWare has the capability of enabling one trustee to have the rights given to another trustee by setting the first trustee as security equivalent to the second. This is explicit security equivalence. Each User object has a Security Equal To property in NDS. When adding other NDS objects to this property, the user receives the same rights as those objects.

Two other types of security equivalence occur in NDS. When a User object is a member of a group, the User object becomes security equivalent to the Group object. When a User object is an occupant of an Organizational Role object, the User object becomes security equivalent to the Organizational Role object.

Each security equivalence is listed in the Security Equivalent To property of the User object, as illustrated in Figure 6-3.

Implied security equivalence occurs when rights that have been granted to a container object automatically flow to its child objects. In Novell Directory Services a container object is considered a parent to the objects within it, and they are considered children of the container. Implied security equivalence is not listed in the Security Equivalent To property of the User object.

1. If drive F: is not mapped to volume SYS, then right-click Network Neighborhood, select Novell Map Network Drive, select drive F: under Device, and type \\SERVERNAME\SYS in the Path area; then click Map.
2. Choose Start | Run, type F:\PUBLIC\WIN32\NWADMN32, and press ENTER.
3. Navigate through the tree to the desired context.
4. Select a User object to be made equivalent to the Admin object.
5. Click the Object menu and select Details.
6. Click the Security Equal To property page button.
7. Click the Add button.
8. Navigate through the tree until the Admin object appears in the left pane under available objects.
9. Click the Admin object and then click OK.
10. Click OK to exit the User object properties and save the Security Equivalent changes.

Effective rights are the actual trustee rights that are in effect when a user accesses a file or directory. A user’s effective rights are calculated from:

Rights granted through security equivalence

plus the rights granted to the [public] trustee

plus rights granted to groups the user is a member of

plus rights granted to the user’s container

plus rights explicitly granted to the user

plus rights inherited from upper directory minus rights filtered by the IRF.

In order to calculate effective rights, the flow of rights must be traced down the directory structure shown in Figure 6-4.

Calculating effective rights is a skill that is absolutely required for planning and administering a NetWare network. The following example will use the Jcraft user in the .OU=MKTG.OU=NY.O=MA context shown in Figure 6-4.

Jcraft is granted the explicit rights to the SYS:PUBLIC\WIN32 directory for Write [W]. Jcraft is granted the rights for Read, Create, File Scan, and Modify [RCFM] for the SYS:PUBLIC directory. The IRF for the SYS:PUBLIC\WIN32 directory is [RF]. Jcraft belongs to the ALLUSERS group that is granted the Read and File Scan rights [RF] for SYS:PUBLIC, and Read, File Scan, and Access Control [RFA] for SYS:PUBLIC\WIN32. What are Jcraft’s effective rights fir SYS:PUBLIC\WIN32? Table 6-2 provides the process of determining Jcraft’s effective rights for SYS:PUBLIC\WIN32.

Jcraft’s effective rights are Read, Write, File Scan, and Access Control.

The rules for planning rights can be simplified into the following steps:

1. Design the file system so that there is limited access at the root of NetWare volumes.
2. Grant greater file system access at lower levels of the directory structure.
3. To protect files, do not grant unnecessary rights at any level.
4. Use inheritance to your advantage, granting explicitly as few times as possible within the directory structure.
5. Plan rights for the [Public] trustee, [root], container objects, organizational role objects, and groups first; then for individual users.
6. Consider the effect that security equivalence will have on the rights granted.
7. Filter rights only when absolutely necessary —that is, try to keep the directory structure with the fewest rights at the top.

File system attributes add another layer of security to the network. File attributes can be applied to a file and are applicable no matter what rights a trustee has been granted to a file. For example, if a user has been granted the Supervisor right to a directory, but a file has been flagged Read Only, the user cannot delete or rename that file, until or unless that attribute has been changed.

There is a similar system under DOS. A file on a DOS, Windows 95/98, or NT workstation can have attributes set to prevent it from being seen (Hidden), to be a system file (System), to not be deleted or renamed (Read Only), or to be used as normal (Read/Write). NetWare enables these same types of rights plus many more to be set on both files and directories. Some of these attributes are applicable only to files, and others are applicable only to directories.

Some file attributes are the same as directory attributes. Other attributes are applicable only to files or only to directories. Table 6-3 shows the file system attributes, whether they are applicable to files, directories, or both; the symbol for that attribute and what function it provides for the file.

Effective Rights determine what a user can actually do in a particular directory or to a particular file. File System Rights may have been acquired through inheritance, a trustee assignment, or security equivalence. Inherited Rights Filter (IRF) are applied to directories or files to prevent effective rights from flowing downward from a parent directory (inherited rights can flow all the way from the volume root). The only ways to get around IRFs is to either make a new trustee assignment and grant rights, or make the object security equivalent to another object that is already a trustee of the directory or file.

—By Dan Cheung, CNI, MCNE, MCT

The file system attributes should be planned according to the way the files are used by the end users. For instance, mission-critical files should never be placed in a directory marked for purging, and they should possibly be flagged as Delete Inhibit and Rename Inhibit, if they should not be deleted or renamed. There are several key file system attributes that can secure the file system:

• Read Only
• Delete Inhibit
• Rename Inhibit
• Execute Only
• System

Each of these file system attributes prevents a file or its name from being changed, thus maintaining its functionality. The Execute Only attribute should be used sparingly, since it cannot be removed once set. When planning a file system attribute scheme, flag files as Execute Only if they will not be upgraded in the future. If, for example, a network source for an office suite of applications is on the NetWare server, and the administrator sets the Execute Only attribute on the executable files, when the suite is upgraded in the same directory, the upgrade will fail.

The Shareable file system attribute is helpful in enabling applications to work appropriately. Some applications are not created for use in a networked system and do not natively support multiple users. To make the application work correctly, flag all the files in the applications directory as Shareable.

File system security can be assigned in the NetWare Administrator program for both trustee rights and file system attributes. The NetWare Administrator offers a single point of administration for the entire NetWare network. The NetWare Administrator offers the ability to set both trustee rights to files and directories, and the ability to set file system attributes on both files and directories. The NetWare Administrator methods were reviewed in the exercises given previously. There are other ways to implement file system security, using command-line utilities offered in NetWare.

Trustee rights are usually implemented in the NetWare Administrator by adding the file or directory to the Rights to Files and Directories property page for users, groups, organizational roles, and organizational units. After adding the file to that property, the administrator selects the rights to be applied for that user to the file. If the administrator prefers, the rights can be assigned to the file or directory by using the Trustees of this File or Trustees of this Directory property page and adding the user, group, organizational role, or organizational unit to the list, then selecting the applicable trustee rights.

Sometimes it is easier for an administrator to use a command-line utility, and NetWare offers a DOS command-line utility for assigning trustee rights. It is available in the SYS:PUBLIC directory and is called RIGHTS.EXE. Using the RIGHTS command enables an administrator to grant, revoke, and view rights information at a DOS prompt. The administrator can also set the IRF and see which rights are inherited. A useful troubleshooting tool, RIGHTS, enables the user to view the current effective rights for a file or directory.

To assign a right with the RIGHTS command use the following syntax:

RIGHTS <path to file> + rights symbols /NAME=NDS distinguished name of user object

To view the currently assigned trustee rights, simply type RIGHTS at the prompt.

In the NetWare Administrator, file system attributes are set from the Attributes property page of the file or directory. This can be somewhat cumbersome to manage, if, for example, you want to apply the Execute Only attribute to .EXE files, or if you want to apply a Shareable attribute to an entire directory system of hundreds of files in multiple subdirectories. NetWare offers a DOS command-line utility for changing file system attributes. It is the FLAG.EXE utility in the SYS:PUBLIC directory.

FLAG is similar to the DOS ATTRIB command. It can modify the file system attributes on either files or directories. To see the entire slew of FLAG options, type FLAG /? ALL at the DOS prompt. FLAG is most helpful for applying a single attribute to multiple files in multiple subdirectories, since a single command can affect hundreds of files at once. When using the FLAG command, please note that the N flag is not an attribute. Instead it is a flag that automatically assigns the default file attributes to a file. These are: Shareable and Read/Write.

1. If drive F: is not mapped to volume SYS, then right-click Network Neighborhood, select Novell Map Network Drive, select drive F: under Device, and type \\SERVERNAME\SYS in the Path area; then click Map.
2. On a Windows 95 workstation, open a DOS prompt window by choosing Start | Programs | MS-DOS Prompt.
3. At the prompt, type F: and press ENTER.
4. If the prompt does not read F:\PUBLIC, then type CD\PUBLIC and press ENTER.
5. In this exercise, the F:\QUEUES directory will be flagged so that it will purge print files immediately. There is normally no need to keep them salvageable. Also, the files in PUBLIC and its subdirectories will be flagged as Read Only and Shareable. To flag the QUEUES directory, type FLAG F:\QUEUES\*.* P /DO and press ENTER.
6. To flag the files in F:\PUBLIC and its subdirectories as Read Only and Shareable, type FLAG F:\PUBLIC\*.* Sh RO /FO and press ENTER.

The file system security has two layers. One layer is the granting of access to end users, who are then called trustees. A trustee can also be a Group object, Organizational Role object, Organizational Unit object, and many other objects within Novell Directory Services (NDS).

Trustee rights for files and directories are: Supervisor, Read, Write, Create, Erase, Modify, File Scan, and Access Control [SRWCEMFA]. The Supervisor right includes all other access rights. Read and File Scan are the minimum rights required to see a file and execute it. Write allows changes to be made to the file. Create allows a user to create a new file or directory. Erase enables the user to delete a file or directory. Modify allows the user to change the file attrbutes. Read allows the user to open the file. File Scan allows the user to see the files listed in a directory listing or the Explorer. Access Control enables a user to grant other NDS objects trustee rights to that file or directory.

Trustee rights can be granted explicitly to a user. A trustee right granted to a user at an upper-level directory is inherited at lower-level directories, thus simplifying the need for explicit granting of rights. However, when planning the trustee rights for a directory, inheritance must be considered in order to avoid security problems. The Inherited Rights Filter, or IRF, is used to block rights from being inherited. For those rights to be granted to a trustee, the rights must be granted explicitly at that directory.

Security equivalence is a NetWare function that allows the administrator to make one trustee equal to another. Security equivalence can be granted through group membership, organizational role occupancy, or it can be an explicit addition to the Security Equal To property page of the User object. Implied security equivalence is where a User object automatically receives the trustee rights granted to the parent container object in NDS. Explicit security equivalence will appear in the Security Equal To property; implied security equivalence will not.

Effective rights are the actual rights in effect for any given file or directory that a trustee is accessing. The rights are calculated from the explicit rights granted the trustee plus the security equivalence rights granted to the security equivalent objects and the inherited rights from upper directories — that is, the inherited rights filter blocked rights.

Trustee rights should be carefully planned, with the file system organized to keep secured files separate from less secure files. Trustee rights should be granted stringently at the top of the directory structure, and more generously below it, so that inheritance will not accidentally grant access to files that should be secure.

File system attributes in NetWare are similar to the file system attributes available in DOS, except that there are many more of them. The file system attributes can be applied to files and directories and control how they are used, regardless of the trustee rights granted to a user. For example, if a user is granted the Erase Trustee right, and a file system attribute for a file is Delete Inhibit, the user cannot delete the file. File system attributes should be planned according to the way that the files will be used.

Both trustee rights and file system attributes can be set in the NetWare Administrator. The RIGHTS command-line utility can be used to grant, revoke, or display trustee rights from a DOS prompt. The FLAG command-line utility can be used to set the file system attributes of files and directories. It is useful in that the administrator can set attributes on multiple files or directories.

• NetWare file system attributes offer the ability to prevent file changes, even when a user has the access rights to make those changes. A network file has the flexibility to be shared among several users, then secured from the remainder of the network users. This flexibility, combined with security, makes for a powerful file management tool. Within NetWare, there are two layers of file system security: trustee rights to the file system, and file system attribute security.
• File system rights are the basic tools for securing files and directories. Planning the file and directory rights correctly will determine whether files are accessible by the appropriate end users, and protected from all other users. Before a user can access a file or directory on a NetWare volume, some rights to that file must be granted to the user’s NDS object. Rights can be granted to users, groups, and containers, or any other object in NDS. The NDS object is considered a trustee of the file or directory when granted rights to it.
• When a right is granted to a group or a container, any user who is a member of the group or who exists in that container will also receive those rights. When a right is granted to the [public] trustee, all users, whether logged in or not, will receive it. Groups and containers, rather than individual users, should be granted explicit rights, since it facilitates planning and maintenance.
• Rights flow down the directory structure. When a user is granted a right to a directory, that right automatically flows down to the subdirectories. This is called inheritance.
• An Inherited Rights Filter (IRF) controls inheritance. The IRF blocks rights from flowing down the file directory structure. When a right is listed in the IRF, users can inherit it. When a right is not included in the IRF, then it is effectively blocked from being inherited. If that right is required by a user, then the user must be explicitly granted that right at that subdirectory.
• NetWare has the capability of enabling one trustee to have the rights given to another trustee by setting the first trustee as security equivalent to the second. This is explicit security equivalence. Each User object has a Security Equal To property in NDS. When adding other NDS objects to this property, the user receives the same rights as those objects.
• Two other types of security equivalence occur in NDS. When a User object is a member of a group, the User object becomes security equivalent to the Group object. When a User object is an occupant of an Organizational Role object, the User object becomes security equivalent to the Organizational Role object.
• Implied security equivalence occurs when rights that have been granted to a container object automatically flow to its child objects. In Novell Directory Services a container object is considered a parent to the objects within it, and they are considered children of the container. Implied security equivalence is not listed in the Security Equivalent To property of the User object.
• Effective rights are the actual trustee rights that are in effect when a user accesses a file or directory. A user’s effective rights are calculated from rights granted through security equivalence, plus the rights granted to the [public] trustee, plus rights granted to groups the user is a member of, plus rights granted to the user’s container, plus rights explicitly granted to the user, plus rights inherited from upper directory, minus rights filtered by the IRF. In order to calculate effective rights, the flow of rights must be traced down the directory structure.
• File system attributes add another layer of security to the network. File attributes can be applied to a file and are applicable no matter what rights a trustee has been granted to a file.
• There is a similar system under DOS. A file on a DOS, Windows 95/98, or NT workstation can have attributes set to prevent it from being seen (Hidden), to be a system file (System), to not be deleted or renamed (Read Only), or to be used as normal (Read/Write). NetWare enables these same types of rights plus many more to be set on both files and directories. Some file attributes are the same as directory attributes. Other attributes are applicable only to files or only to directories.
• The file system attributes should be planned according to the way the files are used by the end users. There are several key file system attributes that can secure the file system. They are Read Only, Delete Inhibit, Rename Inhibit, Execute Only and System. The Execute Only attribute should be used sparingly, since it cannot be removed once set. The Shareable file system attribute is helpful in enabling applications to work appropriately.
• File system security can be assigned in the NetWare Administrator program for both trustee rights and file system attributes. The NetWare Administrator offers a single point of administration for the entire NetWare network. The NetWare Administrator offers the ability to set both trustee rights to files and directories, and the ability to set file system attributes on both files and directories.
• Trustee rights are usually implemented in the NetWare Administrator by adding the file or directory to the Rights to Files and Directories property page for users, groups, organizational roles, and organizational units. After adding the file to that property, the administrator selects the rights to be applied for that user to the file. If the administrator prefers, the rights can be assigned to the file or directory by using the Trustees of this File or Trustees of this Directory property page and adding the user, group, organizational role, or organizational unit to the list, then selecting the applicable trustee rights. NetWare offers a DOS command-line utility for assigning trustee rights. It is available in the SYS:PUBLIC directory and is called RIGHTS.EXE.
• In the NetWare Administrator, file system attributes are set from the Attributes property page of the file or directory. This can be somewhat cumbersome to manage. NetWare offers a DOS command-line utility for changing file system attributes. It is the FLAG.EXE utility in the SYS:PUBLIC directory. FLAG is similar to the DOS ATTRIB command. It can modify the file system attributes on either files or directories.