1 / 42

Chapter Six

Chapter Six. Working with NDS Security. Chapter Objectives. Describe NDS security and list the object and property rights Identify the NDS security needs for Universal Aerospace Use NetWare Administrator to set up NDS security

Download Presentation

Chapter Six

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter Six Working with NDS Security

  2. Chapter Objectives • Describe NDS security and list the object and property rights • Identify the NDS security needs for Universal Aerospace • Use NetWare Administrator to set up NDS security • Identify the default object and property rights for the NDS system • Identify the similarities and differences between DS security and file system security

  3. NDS Trustees • Properties • Each NDS object contains certain fields of information about that object. These information fields are called properties. • Access Control List (ACL) Property • A multi-valued property that contains a list of the trustees for that object • A trustee is a object that is given special rights

  4. NDS Rights • Object Rights • Control what a trustee can do to the object itself • Property Rights • Determine what operations a trustee can perform on the data within an object’s property

  5. Object Rights

  6. Browse Right • Similar to the File Scan right in file system security. • Allows the trustee to see the object in the tree.

  7. Create Right • When assigned to a container, the create right allows the trustee to create leaf and sub-container objects. • Cannot be assigned to leaf objects.

  8. Rename, Delete and Supervisor • Rename and Delete rights allow the trustee to rename or delete the container or leaf object. • The Supervisor right provides all other rights including Supervisor rights to all properties.

  9. Inheritable Right • New right with NetWare 5. • Granting a trustee the Inheritable right allows the trustee’s object rights given in the trustee assignment to be inherited by all leaf objects and subcontainers.

  10. Property Rights

  11. Read and Compare Rights • The Read right allows the trustee to view the contents of the property. • The Compare right is a subset of the Read right and only allows the trustee to compare a given value to the property without actually viewing the contents of the property.

  12. Write and Add Self rights • The Write right allows a trustee to change the contents of a property. • The Add Self right is a special case of the Write right and allows a trustee to make themselves a member of the object, or remove themselves from the object. • Add self is usually only assigned to group type objects.

  13. Inheritable Right • Allows the trustee’s assignment to be inherited by sub-containers and leaf objects. • Can be assigned to All properties or selected properties. • Assigning Inheritable to a selected property allows only that property to be inherited by sub-containers and leaf objects.

  14. Effective Rights • What actions the trustee can perform as a result of one of more of the following: • Direct trustee assignment • Trustee assignment made to group or container • Trustee assignment made to parent container • Rights inherited from a parent container • Rights lost through a Inherited Rights Filter (IRF)

  15. Activity - User Trustee Assignment • In this activity you will create a new container for Kellie and make her a trustee of the new container with Object and Property rights. You will then check Kellie’s effective rights in the new container.

  16. Activity - Group Trustee Assignment • In this activity you will provide the ISMgrs group with NDS rights to your UAS Organization and then check effective rights for users.

  17. Activity - Container Trustee Assignment • In this activity you will use the drag and drop method to make your Engineering container a trustee of the EngData Directory Map object and then check effective rights for the users in the engineering department.

  18. Inherited Rights • NDS inherited rights are similar to the file system in that NDS object and property rights can flow down from a parent container to leaf objects and sub-containers. • A new feature with NetWare 5 is the Inheritable Right which is used to specify whether object or property rights will be inherited by leaf objects and subcontainers.

  19. Inherited Rights Filter • Each NDS object has an Inherited Rights Filter (IRF) for both Object and Property rights that controls what rights will be inherited by that object from its parent container. • Each property has its own IRF that controls what property rights will be inherited by that property from its parent container.

  20. Activity - Inherited Rights • In the first activity you will observe the effect of inherited rights on the members of the ISMgrs group. In the second activity you will use the Inheritable Right to prevent rights from being inherited by sub-containers

  21. Activity - Inherited Property Rights • In this activity you will use inherited property rights to make the AdmAsst object a trustee of your UAS organization with rights to change address properties for all users.

  22. Activity - Default container rights • In this activity you will use NetWare Administrator to record the following trustees of the [root] container. • Admin has Supervisor rights to the [root] of tree. • [Public] has browse rights to the [root] of the tree.

  23. Activity - Default Server Rights • In this activity you will record the default trustees of the server object. • The Server object has Supervisor rights to itself. • The [public] object has the Read property right to the Messaging server property of a newly installed server.

  24. Activity - Default user trustees • In this activity you will record default trustees of a newly created user object. • The user has Read rights to all their properties. • The user has the Write property rights to their login script and print job configuration. • [public] has Read rights to the user’s Default Server property • [root] has Read rights to the user’s Group property.

  25. UAS Security Worksheet

  26. Activity - Trustee Assignments • In this activity you will change the Engineering container’s trustee assignment so that the users have Read rights to only the path property of the EngData Directory Map object. In addition you will make the ISMgrs group a trustee of the ISData Directory Map object and then verify user effective rights.

  27. Inheriting Selected Rights • With NetWare 5, the Inheritable Right exists on both the All property option and the Selected property option. • The Inheritable Right on Selected Properties allows a trustee assignment made to selected property of a container to be inherited by its leaf and sub-container objects.

  28. Activity - Inheriting Selected Rights • In this activity you will give Kellie the ability to maintain login scripts throughout the UAS organization by giving her a trustee assignment that includes the Inheritable Right to the login script property. You will then check her effective rights in sub-containers.

  29. Activity - Removing Selected Rights • Users entering or changing personal login scripts can cause problems for network administrators. • To prevent users from changing or entering personal login scripts, you can remove the Write right from their trustee assignment. • In this activity you will remove the Write right from the Login Script property of each of your Engineering department users.

  30. Activity - Managing a Container • In this activity you will do the following: • Modify your Mfg Organizational Unit structure • Move objects to the new container. • Give all rights to the MfgMgr role object. • Check effective rights

  31. Reducing Supervisor Rights • In contrast to file system security, in NDS you can reduce a trustee’s Supervisor rights to leaf objects and sub-containers using one of two methods: • Making a new trustee assignment that overrides the supervisor inherited rights. • Using the Inherited Rights Filter (IRF) to block inherited rights.

  32. Activity - Changing Supervisor Rights • In this activity you will reduce Chuck’s Supervisor right in the sub-container UAS by providing him with a new trustee assignment. You will then verify his effective rights in the UAS sub-container. • Because a trustee assignment can reduce inherited rights, accidentally removing a trustee assignment could actually increase a user’s effective rights by allowing inheritance from a parent container.

  33. Activity - Using a IRF to Block Rights • In this activity you will do the following: • implement an IRF on the object rights of the AeroDyn container to block the ISMgrs group from inheriting Create and Rename rights. • Check effective rights. • Implement an IRF on the Login Script selected property.

  34. Independent Container Admin • Allows administration of a tree to be split among multiple administrators. • A Trustee is given Supervisor rights to a container and then an IRF is used to block Supervisor rights from being inherited. • An IRF cannot be used to block Supervisor rights until after a trustee assignment giving Supervisor rights to the container is made.

  35. Independent Container Admin • Suggestions: • Assign all rights, not just Supervisor to the container administrator object. • Use an Organizational Role object as the container administrator. • Have a user object as a backup container administrator.

  36. Activity - Private Container Admin • In this activity you will set up an independent container administrator and then use the IRF to block the Supervisor right from the new container.

  37. Chapter Summary • NDS Security consists of Object and Property rights. • Object Rights include: • Browse • Create • Delete • Rename • Supervisor • Inheritable

  38. Chapter Summary • Property Rights determine what actions a trustee can perform on object data residing in properties and include: • Read • Compare • Write • Add Self • Inheritable

  39. Chapter Summary • Property rights can be assigned either via • All properties • Selected properties • A trustee effective rights include rights from group and container membership. • Each object has an Inherited Rights Filter that can be used to prevent certain rights from being inherited by that object.

  40. Chapter Summary • NDS Security is different from File System security in that the Supervisor right can be reassigned or blocked by an Inherited Rights Filter. • The [public] trustee object represents all workstations on the network. • The [root] trustee object represents all logged in users.

  41. Chapter Summary • Default Rights • Initial Installation. • Supervisor rights to Admin in root of tree • Browse rights to [public] in root of tree • New User • User has Read rights to all properties and Write to Login script and Print Jobs. • [Root] has Read rights to the Group property. • [Public] has Read rights to Default server.

  42. Chapter Summary • Default Rights (continued): • New Server • Installer has Supervisor rights • [public] has read to Messaging Server property • Inheritable right can be used allow rights granted to selected properties to be inherited to leaf objects and sub-containers.

More Related