[Front] [Prev Chapter] [Next Chapter]

Chapter 14 Securing Information

Enabling Security

Security on a Standalone Computer

Security with the Network


There are four aspects to keeping information secure with this operating system:

Enabling Security

Before you enable security, it is recommended that you scan the computer for viruses, take a backup of the hard disk, and remove any options to load other operating systems. To enable security, use the SETUP program as follows:

1. At the system prompt, type the following:

SETUP <Enter>

2. Select the Data Protection and Security option, and then select Configure Security.

SETUP shows whether security is currently enabled or disabled. If you are enabling security for the first time, select the Enable Security option.

3. You are prompted to enter a password.

This password is the master key password. You must use alphanumeric characters for the password. The maximum length for a password is 15 characters.

NOTE: When you choose a password, do not choose one that is too easy to guess, such as your own name, but do not use one that you find hard to remember. Use a nonsense word, or put some numbers into a word to make it harder for anyone to guess your password.

This password is used with both standalone and network security.

WARNING: Do not forget the master key password. If you enable security and specify a master key password, you must enter this password before you can gain access to the computer.

4. Save the changes you made and exit SETUP.

Now, when you reboot your computer, you are prompted for the master key password before you gain access to your computer.

If your computer is not part of a network, read the following section "Security on a Standalone Computer" to learn about using security on your computer. If your computer is part of a network, read the section "Security With the Network" on page 14-4.

NOTE: Once you enable security, you might find that some third party disk utilities report errors in the partition table. You can ignore these messages. However, if you suspect that the disk is corrupted, do not try to use a third party utility to correct this until you have disabled security and restarted your computer.

Security on a Standalone Computer

When a computer is not part of a network, there are several ways to keep the information on the computer secure from unauthorized access. They are as follows:

Using the Master Key Password to Protect the Hard Disk

The master key password prevents unauthorized users from gaining access to your computer unless they know this password. When you reboot your computer, the operating system detects that security is enabled and prompts for the master key password. You must enter the password in order to obtain access to the operating system.

You set the master key password when you enabled security in SETUP. You can also use SETUP to change this password.

Security also protects the hard disk from unauthorized access by denying access to the hard disk, when an attempt is made to boot an operating system from diskette.

If you have more than one operating system loaded on your hard disk, you must supply the master key password to load any other operating systems as well as DR-DOS.

Locking your Computer with the Screen Saver

Use the screen saver to lock your computer if you are going to leave it unattended for a short while and do not want to switch it off. You can invoke the screen saver from the command line or in
MS Windows, or you can use it as a TSR. To use it as a TSR, set a timeout limit so that if there has been no user input for the specified time, the screen saver locks the screen automatically. In order to regain access to your computer you must enter the master key password, or the password you specified when you started the LOCK program.

Refer to the description of the LOCK command in the "Command Reference" chapter of DOSBook for more details about locking your computer. Note that you can use LOCK whether or not you have enabled security on your computer.

Protecting Files and Directories with Passwords

You can protect files and directories individually by assigning passwords to them. Refer to the description of the PASSWORD command in the "Command Reference" chapter of DOSBook to learn how to use this command to assign passwords to files and directories.

Security With the Network

NOTE: Refer to Chapter 3, "Installing Personal NetWare" for a description of how to install the network software, and to Chapter 20, "Setting Up the Network," for a description of how to set up the network.

In order to keep information secure on a computer that is part of the network, there are various issues that you need to consider. When you load the network software on a computer so that it can be a Personal NetWare server, you are opening up access to the resources available on that computer. You need to ensure that all users have access to the resources that they need, but also to make sure that unauthorized access is not possible.

The following is a brief description of some of the features of the operating system network that you can use to make sure that information on your computer is secure. For a more detailed description of any of these aspects of workgroup administration refer to Chapter 20, "Setting Up the Network," and Chapter 21, "Using the Network."

Using Access Rights

You can set access rights on shared directories and shared printers. Access rights set the level of access for that resource. When you assign access rights, you need to consider both the default access rights that apply to the resource, and the non-default rights that you can give to a particular user for that particular resource. Make sure that the default access rights for the shared directory are suitable for the workgroup as a whole, and assign non-default rights only when needed. The following is a list of rights available for shared directories.
Right

Explanation

All

This gives users all rights to the shared directory.

None

This stops users from having any access to the shared directory.

Read

This allows users to read files in the shared directory and execute them where appropriate.

Write

This allows users to write to files in the shared directory, create and delete files, but not read them.

Shared printers have the rights ALL or NONE.

Setting Passwords on Accounts

If you want to ensure that accounts on the network are secure, give each account a password. When you create an account, specify that the account requires a password. Then give a password for the account. Tell the user of the new account what the password is, so the user can log in and change that password.

The SUPERVISOR Account

In order to be secure, this account must have a password. If you do not set a password for this account, anyone can log in to your workgroup and change the way the workgroup, accounts, and resources are set up.

It is a good idea to reserve use of the SUPERVISOR account for workgroup or server administration only. Use another account for day-to-day work.

The GUEST Account

While user accounts have passwords set on them, you may like to have an account that does not belong to any one user. This is often called the GUEST account. Since this account is meant to give limited access to anyone, you may not want to set a password on this account. If you do not set a password on the account, make sure that the default access rights for all resources are suitable for an account that anyone could use, and assign non-default access rights where appropriate. You could also alter the login times for the account, restricting use of the GUEST account to office hours, for example.

If you do set a password on this account, you can change the settings so that a user of the GUEST account cannot change the password.

Creating Local Users

When you enable security on a computer that is a Personal NetWare server, you can give local access to workgroup users by creating local users for the computer. A local user must enter a username and password to gain access to the resources on that computer when the computer is switched on. When you make a local user account, you can give access for that account to the hard disk, diskette drives, printer, one-time login facility, and the serial communication ports.

Assigning Workgroup Administrator Privileges

If you give an account workgroup administrator privileges, then the user for that account can make changes to the way in which the workgroup and the resources are set up. Make sure that you only give workgroup administrator privileges to users that you want to be able to perform workgroup administration tasks.

Choosing the Security Loadable Module

The security loadable module is one of the modules that is loaded automatically. In order to save space in memory, you can choose not to load some of the modules. If you do not load the security module, then access rights no longer apply, and all users have access to all the resources.

Disabling an Account

If you suspect that an account is being misused, you can disable that account. The account still exists in the user database but no-one can use the account

Using the Master Key Password

The master key password is the one you set when you enabled security. On a computer that has local users, you can use this password in place of any user password.

Protecting the Hard Disk on the Client or Server

Once you have enabled security, the hard disk is protected from access via the diskette drive. If anyone attempts to boot up your machine using a diskette, they are unable to gain access to the hard disk, no matter what operating system they are trying to load.

Locking the Client or Server

The LOCK screen saver is available on both server and client computers. Local users can use LOCK as a TSR, and specify a timeout period. Once LOCK is invoked, either by elapsed time or from the command line, you must type in the user password for that account to regain access to that computer.

On a client computer, use the master key password to regain access after using LOCK. Refer to the description of LOCK in the "Command Reference" chapter of DOSBook for more information on using the screen saver and locking your computer.

Protecting Files and Directories with Passwords

You can use the PASSWORD command to protect files and directories, but note that you will not be able to access a file or directory that is protected by a password across the network. You can only access such a file or directory from the machine that holds that file or directory.

Security with Backups

When you take a backup, you make a copy of the information on your machine. You can use this copy to replace lost or corrupted information. If there is only one copy of the information kept in one place, for example, on the hard disk, and the hard disk is corrupted in some way, you lose all that information. With a backup copy, it only takes a short time to restore the lost information.

Before you start taking backups, it is a good idea to plan how often you need to take backups and what type of backup you need to make.

One backup plan might be to take a full backup once a week, and at the end of each day, take a partial backup of the files that have changed since the last backup was made. You must set your own backup plan according to what information is essential, or changes frequently. Once you have made a backup plan, carry it out rigorously.

NOTE: A full backup of a hard disk is time-consuming and, if you are copying files to diskette, can use a lot of diskettes. Make sure that you have a plentiful supply of diskettes and labels. Write the label for each diskette using the name displayed as files are being copied to that diskette.



[Front] [Prev Chapter] [Next Chapter]

info@caldera.com
Copyright © 1993, 1997, 1998 Caldera, Inc. All rights reserved.