Previous | Contents | Index |
To remove a trust relationship, use the REMOVE TRUST/TRUSTED command and the REMOVE TRUST/PERMITTED command. For example:
LANDOFOZ\\TINMAN> REMOVE TRUST KANSAS/PERMITTED Removing domain "KANSAS" from the Permitted Domains List will prevent users in domain "LANDOFOZ" from accessing resources in domain "KANSAS". If you choose to continue, you must also administer domain "KANSAS" and remove "LANDOFOZ" from its list of Trusted Domains. Do you want to continue with the removal [YES or NO] (YES) : YES %PWRK-S-TRUSTREM, trust between domains "LANDOFOZ" and "KANSAS" removed LANDOFOZ\\TINMAN> |
When you remove a trust, both sides of the trust relationship must be
dissolved. The trusting domain must cease to trust the trusted domain,
and the trusted domain must cease to permit the trusting domain to
trust it. To reestablish the trust relationship, you again must supply
matching passwords for the trusting and trusted domains. If only one
side of the trust relationship is broken and reestablished, the trust
will appear to work in some ways and fail in others. For example, you
can grant resource access to a user from the trusted domain, but the
user is not actually granted the indicated access. To eliminate such
problems, remove the old trust relationships and establish new trust
relationships.
2.2 Managing Security Policies
You can manage the following security policies:
You manage the account policy for your domain using the SET ACCOUNT POLICY command. You can view the account policy with the SHOW ACCOUNT POLICY command. Changes to the account policy affect every user at the next logon.
The account policy characteristics that you can specify include:
To set the account policy for a domain:
Use the SET ACCOUNT POLICY command. For example, to set up your domain so that users are disconnected when they exceed their logon hours, use the SET ACCOUNT POLICY/FORCE_DISCONNECT command, as follows.
LANDOFOZ\\TINMAN> SET ACCOUNT POLICY/FORCE_DISCONNECT %PWRK-S-ACCPOLSET, account policy set for domain "LANDOFOZ" |
To display the account policy for a domain:
Use the SHOW ACCOUNT POLICY command. For example:
LANDOFOZ\\TINMAN> SHOW ACCOUNT POLICY Account Policy for domain "LANDOFOZ": Minimum password age (days) : 1 Maximum password age (days) : 42 Minimum password length : 0 Length of password history maintained : None Force user logoff after logon hours expire: YES Lock out account after how many bad password attempts : Never Role of server TINMAN: Primary Domain Controller LANDOFOZ\\TINMAN> |
You specify the audit policy using the SET AUDIT POLICY command. When auditing is enabled, the server records security in the Security event log. The server can record system-wide events, such as a user logging on, and file-specific events, such as a user attempting to access a specific file.
The audit policy affects Security event logging for all servers in the domain, because they share the same audit policy. You can specify whether to log failed events and successful events. See Table 2-1 for a list of the events that you can audit.
Audit Event Name | Events Audited |
---|---|
ACCESS |
- A user accessing a directory or file that is set for auditing
- A user sending a print job to a printer that is set for auditing |
ACCOUNT_MANAGEMENT |
- Creating, changing, or deleting a user account or group
- Renaming, disabling, or enabling a user account - Setting or changing a password |
LOGONOFF |
- A user logging on or logging off
- A user making a network connection |
POLICY_CHANGE |
- Changing the audit policy
- Changing a trust relationship - Changing user rights policies |
PROCESS |
- Program activation
- Handling duplication - Indirect object access - Process exit |
SYSTEM |
- A user starting or restarting a server
- A system security event - An event that affects the security log |
USER_RIGHTS | - A user exercised a user right such as accessing a file, except for logon/logoff rights |
To display the audit policy for a domain:
Use the SHOW AUDIT POLICY command. For example:
LANDOFOZ\\TINMAN> SHOW AUDIT POLICY |
Audit Policy for domain "LANDOFOZ": Auditing is currently Disabled. Audit Event states: Audit Event Success Failure ------------------- -------- -------- ACCESS Disabled Disabled ACCOUNT_MANAGEMENT Disabled Disabled LOGONOFF Disabled Disabled POLICY_CHANGE Disabled Disabled PROCESS Disabled Disabled SYSTEM Disabled Disabled USER_RIGHTS Disabled Disabled LANDOFOZ\\TINMAN> |
To enable auditing and set the audit policy for a domain:
Use the SET AUDIT POLICY/AUDIT command. For example, to enable auditing of successful logon and logoff operations, enter the following command.
LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT/SUCCESS=LOGONOFF %PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ" LANDOFOZ\\TINMAN> SHOW AUDIT POLICY Audit Policy for domain "LANDOFOZ": Auditing is currently Enabled. Audit Event states: Audit Event Success Failure ------------------ -------- -------- ACCESS Disabled Disabled ACCOUNT_MANAGEMENT Disabled Disabled LOGONOFF Enabled Disabled POLICY_CHANGE Disabled Disabled PROCESS Disabled Disabled SYSTEM Disabled Disabled USER_RIGHTS Disabled Disabled LANDOFOZ\\TINMAN> |
To enable auditing of all events, use the following command:
SET AUDIT POLICY/AUDIT/SUCCESS=ALL/FAILURE=ALL
2.3 Managing a Server
When you manage a server, you can display server information, send
messages to users, and start and stop services.
2.3.1 Displaying Server Information
You can display information about the server including connections,
user sessions, shared resources, and the software version number.
2.3.1.1 Displaying Connections
As you manage your server, you may need to know which connections are active. A connection is a virtual link between a workstation or a server process and a shared resource on a server.
To display existing connections:
Use the SHOW CONNECTIONS command. The SHOW CONNECTIONS command displays information about active connections to the server, including connections from the Advanced Server. The information about each connection includes:
The following example displays information about all the connections to the server currently being administered (TINMAN).
LANDOFOZ\\TINMAN> SHOW CONNECTIONS Connections on server "TINMAN": User name Computer name Share name Opens Time -------------------- --------------- ----------------- -------- ADMINISTRATOR TINMAN_176 IPC$ 3 0 11:30 SCARECROW TINMAN_149 ADMIN$ 0 0 00:00 SCARECROW TINMAN_149 IPC$ 0 0 00:00 SCARECROW TINMAN_149 IPC$ 1 0 00:00 SCARECROW TINMAN_149 RAINBOW 0 0 06:14 Total of 5 connections |
As you manage your server, you may need to know which sessions are active. A session is a network link between a workstation and a server. A session can have one or more connections to shared resources.
Use the SHOW SESSIONS command. You can include the /SERVER qualifier to display sessions on a specific server. The display includes:
For example:
LANDOFOZ\\TINMAN> SHOW SESSIONS/SERVER=WOODMAN User sessions on server "WOODMAN": Connected Users Computer Opens Time Idle Guest ------------------ --------- ----- ------- ------- ----- ADMINISTRATOR DOROTHY 1 1 24:54 0 00:00 No SCARECROW DOROTHY 3 0 03:48 0 00:03 No Total of 2 connected users LANDOFOZ\\TINMAN> |
The Advanced Server allows you to display information about shared resources. You can display information about the share permissions and the OpenVMS protections on them, as well as the maximum number of connections to the share allowed at one time. You can specify display of only the active shares (those currently connected to) or by the type of share (printers or directories).
To see shared resources from the current server:
Use the SHOW SHARES command. This command displays:
Specify the share name to display information about only one share. Use the /FULL qualifier to display detailed information about each share.
For example, the following command displays the shares on the server currently being administered (TINMAN):
LANDOFOZ\\TINMAN> SHOW SHARES Shared resources on Server "TINMAN": Name Type Description --------- --------- ---------------------------------- NETLOGON Directory Logon Scripts Directory RAINBOW Directory Local Oz Share PWLIC Directory PATHWORKS Client License Software PWLICENSE Directory PATHWORKS Client License Software PWUTIL Directory PATHWORKS Client-based Utilities USERS Directory Users Directory Total of 6 shares LANDOFOZ\\TINMAN> |
You can verify the version number of Advanced Server software.
To display the version number of server software on your system:
Use the SHOW VERSION command. For example:
LANDOFOZ\TINMAN> SHOW VERSION Advanced Server V7.2 for OpenVMS LANDOFOZ\\TINMAN> |
This command is valid for PATHWORKS for OpenVMS (Advanced Server) and Advanced Server for OpenVMS servers only.
2.3.2 Sending Messages to Users
You should send messages to users before you change the operating characteristics of a server. For example, you might send a message before disconnecting users or if you need to stop sharing a resource on a computer. For a message to be sent and received, the Alerter service must be running on the computer sending the message, and the Messenger service must be running on the computer receiving the message.
The Messenger service is not supported by Advanced Server. Therefore, users on Advanced Servers will not receive messages sent this way. |
For example, the following command sends the message "Shutdown at 1 pm today!!!" to the computer called DOROTHY.
LANDOFOZ\\TINMAN> SEND DOROTHY "Shutdown at 1pm today!!!" LANDOFOZ\\TINMAN> |
The message is displayed in a Messenger Service pop-up window on computer DOROTHY in the following form:
Message from TINMAN to DOROTHY on 8/31/98 11:20 AM "Shutdown at 1pm today!!!" |
You can also send a message from a specific server in your domain to a specific group of users in your domain with the /SERVER=servername qualifier, and you can send a message to all users on a server with the /USER qualifier.
To send a message to users on a specific server:
Use the /SERVER qualifier. For example, the following command sends the message "Shutdown at 1pm today!!!" to all users connected to server WOODMAN.
LANDOFOZ\\TINMAN> SEND/USERS/SERVER=WOODMAN "Shutdown at 1pm today!!!" LANDOFOZ\\TINMAN> |
This command may take a few minutes to complete.
2.3.3 Managing Services
To manage Advanced Server services, you need to know how to start and stop services and how to configure service startup. Services are set up during server installation and configuration.
You can start and stop each of the services available on the computer and determine whether a service will start up automatically when the system starts. You must be logged on to a user account that has membership in the Administrators group or the Server Operators group to perform these operations. Table 2-2, Network Services on the Advanced Server, shows the default services provided with Advanced Server.
Service | Description | Supported on Advanced Servers | Starts by Default | Can Be Paused | Can Be Stopped |
---|---|---|---|---|---|
Alerter | Notifies selected users and computers of administrative alerts that occur on this server. Used by the server and other services. | Yes | Yes | No | Yes |
Browser | Lists network entities, such as domains, computers, and shared resources. | Yes | Yes | No | Yes |
EventLog | Records system, security, and application events in the event logs, and enables remote access to those logs. Cannot be stopped separately; stops together with the Server service. | Yes | Yes | No | No |
NetLogon | Verifies the user name and password of each user who attempts to log on to the network or gain access to the server. Synchronizes security databases. | Yes | Yes | Yes | Yes |
Server | Provides file and print sharing. | Yes | Yes | Yes | No 1 |
TimeSource | Identifies a server as the time server for a domain. Other computers synchronize their clocks with the time server. | Yes | No | No | Yes |
Replicator | Replicates user directories and files. | No | No | No | No |
Messenger | Allows receipt of server management messages | No | No | No | No |
The Alerter, NetLogon, and TimeSource services can be enabled and
disabled by adding them to the list of services associated with the
SrvServices server configuration parameter stored in
the OpenVMS Registry, as described in Section 7.2, Managing Server Configuration Parameters. When a service is
enabled, it is started automatically when the Advanced Server starts.
2.3.3.1 Displaying Services
As you manage your server, you may need to know the state of network services.
To display available services:
Use the SHOW SERVICES command. For example:
LANDOFOZ\\TINMAN> SHOW SERVICES Services on server "TINMAN": Service Current State -------------- --------------- ALERTER Started BROWSER Started EVENTLOG Started NETLOGON Started SERVER Started TIMESOURCE Started Total of 6 services LANDOFOZ\\TINMAN> |
By default, the Server, Alerter, Browser, and NetLogon services are started automatically when the server is started.
Use the START SERVICE command, specifying the full service name. For example:
LANDOFOZ\\TINMAN> START SERVICE TIMESOURCE %PWRK-S-SVCSTART, service "TIMESOURCE" started on server "TINMAN" LANDOFOZ\\TINMAN> |
You can suspend execution of the Server and NetLogon services. Unlike stopping a service, pausing does not cancel resource sharing, terminate connections or change any settings associated with the service.
Pausing the Server service prevents users from making new connections to the server's shared resources; however, users who have already connected to shared resources can continue to use the resources. Pausing the Server service does not prevent users who are members of the Administrators group from connecting to the service.
Pausing the NetLogon service prevents the server from validating logons and synchronizing the domain's user account database.
Use the PAUSE SERVICE command. For example:
LANDOFOZ\\TINMAN> PAUSE SERVICE SERVER Do you really want to pause service "SERVER" [YES or NO](YES): YES %PWRK-S-SVCPAUSE, service "SERVER" paused on server "TINMAN" LANDOFOZ\\TINMAN> |
You can use the CONTINUE SERVICE command to continue a paused service. When you continue a service, you restore access to the service.
Use the CONTINUE SERVICE command. For example:
LANDOFOZ\\TINMAN> CONTINUE SERVICE SERVER %PWRK-S-SVCCONT, service "SERVER" continued on server "TINMAN" LANDOFOZ\\TINMAN> |
Stopping a service disables all operations provided by that service. You can use ADMINISTER commands to stop the following services:
To stop the Server service, use the PWRK$SHUTDOWN.COM command procedure, as described in the Advanced Server for OpenVMS Server Installation and Configuration Guide. Before you stop the Server service, you should follow these steps:
Use the STOP SERVICE command. For example:
LANDOFOZ\\TINMAN> STOP SERVICE TIMESOURCE Do you really want to stop service "TIMESOURCE" [YES or NO] (YES): YES %PWRK-S-SVCSTOP, service "TIMESOURCE" stopped on server "TINMAN" LANDOFOZ\\TINMAN> |
Previous | Next | Contents | Index |