Previous | Contents | Index |
To remove a trust relationship, use the REMOVE TRUST/TRUSTED command and the REMOVE TRUST/PERMITTED command. For example:
LANDOFOZ\\TINMAN> REMOVE TRUST KANSAS/PERMITTED Removing domain "KANSAS" from the Permitted Domains List will prevent users in domain "LANDOFOZ" from accessing resources in domain "KANSAS". If you choose to continue, you must also administer domain "KANSAS" and remove "LANDOFOZ" from its list of Trusted Domains. Do you want to continue with the removal [YES or NO] (YES) : YES %PWRK-S-TRUSTREM, trust between domains "LANDOFOZ" and "KANSAS" removed LANDOFOZ\\TINMAN> |
When you remove a trust, both sides of the trust relationship must be
dissolved. The trusting domain must cease to trust the trusted domain,
and the trusted domain must cease to permit the trusting domain to
trust it. To reestablish the trust relationship, you again must supply
matching passwords for the trusting and trusted domains. If only one
side of the trust relationship is broken and reestablished, the trust
will appear to work in some ways and fail in others. For example, you
can grant resource access to a user from the trusted domain, but the
user is not actually granted the indicated access. To eliminate such
problems, remove the old trust relationships and establish new trust
relationships.
2.3 Managing Security Policies
You can manage the following security policies:
You manage the account policy for your domain using the SET ACCOUNT POLICY command. You can view the account policy with the SHOW ACCOUNT POLICY command. Changes to the account policy affect every user at the next logon.
The following table lists the qualifiers you can specify with the SET ACCOUNT POLICY command.
Qualifier | Meaning | |
---|---|---|
/[NO]FORCE_DISCONNECT |
Controls whether or not a user connection to any server in the domain
is forcibly disconnected when the user account exceeds the logon hours
defined for the user account. This affects only users who are already
logged on.
/NOFORCE_DISCONNECT specifies that the user connection is not disconnected, but no new connections are allowed. This is the default. Regardless of this setting, users cannot make new connections to the server outside their logon hours or after their accounts expire. |
|
/[NO]LOCK_OUT=(ATTEMPTS =n) | Controls whether or not an account is locked out after too many failed logon attempts. You can use the ATTEMPTS= n keyword with the /LOCK_OUT qualifier, where n=1 to 999. The account is locked out after the specified number of failed logon attempts. A failed logon attempt occurs when the user supplies an incorrect password when logging on. /NOLOCK_OUT specifies that user accounts are never locked out, regardless of the number of failed attempts. The default is /NOLOCK_OUT. | |
/PASSWORD_POLICY=( keyword[,...]) | Specifies password policies for the domain. You can use the following keywords with this qualifier: | |
Keyword | Meaning | |
[NO]MAXAGE[= n] |
Specifies the maximum password age: the maximum number of days a
password can be used before the server requires the user to change it.
You can specify from 1 to 999 days; the default is 42 days.
NOMAXAGE means passwords never expire. |
|
[NO]MINAGE[= n] |
Specifies the minimum password age: the minimum number of days a
password must be used before the user can change it. You can specify
from 1 to 999 days; the default is 1 day.
NOMINAGE means that changes can be made immediately. |
|
MINLENGTH= n | Specifies the minimum password length: the minimum number of characters for a password. You can specify from 0 (blank passwords are allowed) to 14. The default is 0. Be sure to coordinate this value with the OpenVMS password policy if you are using external authorization. | |
[NO]HISTORY[= n] |
Specifies the password history: the number of new passwords that the
user must specify before an old password can be reused.
NOHISTORY means that no password history is maintained. You can specify from 1 to 8. The default is 0 (no password history is maintained). |
To set the account policy for a domain:
Use the SET ACCOUNT POLICY command. For example, to set up your domain so that users are disconnected when they exceed their logon hours, use the SET ACCOUNT POLICY/FORCE_DISCONNECT command, as follows.
LANDOFOZ\\TINMAN> SET ACCOUNT POLICY/FORCE_DISCONNECT %PWRK-S-ACCPOLSET, account policy set for domain "LANDOFOZ" |
To display the account policy for a domain:
Use the SHOW ACCOUNT POLICY command. For example:
LANDOFOZ\\TINMAN> SHOW ACCOUNT POLICY Account Policy for domain "LANDOFOZ": Minimum password age (days) : 1 Maximum password age (days) : 42 Minimum password length : 0 Length of password history maintained : None Force user logoff after logon hours expire: YES Lock out account after how many bad password attempts : Never Role of server TINMAN: Primary Domain Controller LANDOFOZ\\TINMAN> |
You specify the audit policy using the SET AUDIT POLICY command. When auditing is enabled, the server records security in the Security event log. The server can record system-wide events, such as a user logging on, and file-specific events, such as a user attempting to access a specific file.
The audit policy affects Security event logging for all servers in the domain, because they share the same audit policy. You can specify whether to log failed events and successful events.
The following table lists events you can audit.
Audit Event Name | Events Audited |
---|---|
ACCESS |
- A user accessing a directory or file that is set for auditing
- A user sending a print job to a printer that is set for auditing |
ACCOUNT_MANAGEMENT |
- Creating, changing, or deleting a user account or group
- Renaming, disabling, or enabling a user account - Setting or changing a password |
LOGONOFF |
- A user logging on or logging off
- A user making a network connection |
POLICY_CHANGE |
- Changing the audit policy
- Changing a trust relationship - Changing user rights policies |
PROCESS |
- Program activation
- Handling duplication - Indirect object access - Process exit |
SYSTEM |
- A user starting or restarting a server
- A system security event - An event that affects the security log |
USER_RIGHTS | - A user exercised a user right such as accessing a file, except for logon/logoff rights |
To display the audit policy for a domain:
Use the SHOW AUDIT POLICY command. For example:
LANDOFOZ\\TINMAN> SHOW AUDIT POLICY Audit Policy for domain "LANDOFOZ": Auditing is currently Disabled. Audit Event states: Audit Event Success Failure ------------------- -------- -------- ACCESS Disabled Disabled ACCOUNT_MANAGEMENT Disabled Disabled LOGONOFF Disabled Disabled POLICY_CHANGE Disabled Disabled PROCESS Disabled Disabled SYSTEM Disabled Disabled USER_RIGHTS Disabled Disabled LANDOFOZ\\TINMAN> |
To enable auditing and set the audit policy for a domain:
Use the SET AUDIT POLICY/AUDIT command. For example, to enable auditing of successful logon and logoff operations, enter the following command.
LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT/SUCCESS=LOGONOFF %PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ" LANDOFOZ\\TINMAN> SHOW AUDIT POLICY Audit Policy for domain "LANDOFOZ": Auditing is currently Enabled. Audit Event states: Audit Event Success Failure ------------------ -------- -------- ACCESS Disabled Disabled ACCOUNT_MANAGEMENT Disabled Disabled LOGONOFF Enabled Disabled POLICY_CHANGE Disabled Disabled PROCESS Disabled Disabled SYSTEM Disabled Disabled USER_RIGHTS Disabled Disabled LANDOFOZ\\TINMAN> |
To enable auditing of all events, use the following command:
SET AUDIT POLICY/AUDIT/SUCCESS=ALL/FAILURE=ALL
2.4 Managing a Server
When you manage a server, you can display server information, send
messages to users, and start and stop services.
2.4.1 Displaying Server Information
You can display information about the server including connections,
user sessions, shared resources, and the software version number.
2.4.1.1 Displaying Connections
As you manage your server, you may need to know which connections are active. A connection is a virtual link between a workstation and a shared resource on a server.
To display existing connections:
Use the SHOW CONNECTIONS command. The SHOW CONNECTIONS command displays information about active connections to the server, including:
For example, the following display shows current connections to the shared resource called WIZARD:
LANDOFOZ\\TINMAN> SHOW CONNECTIONS/SHARE=WIZARD Connections on server "TINMAN" User name Computer name Share name Opens Time --------------- ---------------- ------------- ------- ----------- SCARECROW DOROTHY WIZARD 2 0 00:04 Total of 1 connection LANDOFOZ\\TINMAN> |
As you manage your server, you may need to know which sessions are active. A session is a network link between a workstation and a server. A session can have one or more connections to shared resources.
Use the SHOW SESSIONS command. You can include the /SERVER qualifier to display sessions on a specific server. The display includes:
For example:
LANDOFOZ\\TINMAN> SHOW SESSIONS/SERVER=WOODMAN User sessions on server "WOODMAN": Connected Users Computer Opens Time Idle Guest ------------------ --------- ----- ------- ------- ----- ADMINISTRATOR DOROTHY 1 1 24:54 0 00:00 No SCARECROW DOROTHY 3 0 03:48 0 00:03 No Total of 2 connected users LANDOFOZ\\TINMAN> |
The PATHWORKS Advanced Server allows you to display information about shares.
To see shared resources from the current server:
Use the SHOW SHARES command. This command displays:
For example, the following command displays the shares on the server currently being administered (TINMAN):
LANDOFOZ\\TINMAN> SHOW SHARES Shared resources on Server "TINMAN": Name Type Description --------- --------- ---------------------------------- NETLOGON Directory Logon Scripts Directory RAINBOW Directory Local Oz Share PWLIC Directory PATHWORKS Client License Software PWLICENSE Directory PATHWORKS Client License Software PWUTIL Directory PATHWORKS Client-based Utilities USERS Directory Users Directory Total of 6 shares LANDOFOZ\\TINMAN> |
You can verify the version number of PATHWORKS Advanced Server software.
To display the version number of server software on your system:
Use the SHOW VERSION command. For example:
LANDOFOZ\TINMAN> SHOW VERSION PATHWORKS V6.0B for OpenVMS (Advanced Server) LANDOFOZ\\TINMAN> |
This command is valid for PATHWORKS for OpenVMS Advanced Servers only.
2.4.2 Sending Messages to Users
You should send messages to users before you change the operating characteristics of a server. For example, you might send a message before disconnecting users or if you need to stop sharing a resource on a computer. For a message to be sent and received, the Alerter service must be running on the computer sending the message, and the Messenger service must be running on the computer receiving the message.
PATHWORKS for OpenVMS (Advanced Server) does not support the reception of these types of messages. |
For example, the following command sends the message "Shutdown at 1 pm today!!!" to the computer called DOROTHY.
LANDOFOZ\\TINMAN> SEND DOROTHY "Shutdown at 1pm today!!!" LANDOFOZ\\TINMAN> |
The message is displayed in a Messenger Service pop-up window on computer DOROTHY in the following form:
Message from TINMAN to DOROTHY on 8/31/98 11:20 AM "Shutdown at 1pm today!!!" |
You can also send a message from a specific server in your domain to a specific group of users in your domain with the /SERVER=servername qualifier, and you can send a message to all users on a server with the /USER qualifier.
To send a message to users on a specific server:
Use the /SERVER qualifier. For example, the following command sends the message "Shutdown at 1pm today!!!" to all users connected to server WOODMAN.
LANDOFOZ\\TINMAN> SEND/USERS/SERVER=WOODMAN "Shutdown at 1pm today!!!" LANDOFOZ\\TINMAN> |
This command may take a few minutes to complete.
2.4.3 Managing Services
To manage PATHWORKS Advanced Server services, you need to know how to start and stop services and how to configure service startup. Services are set up during server installation and configuration.
You can start and stop each of the services available on the computer and determine whether a service will start up automatically when the system starts. The following table shows the default services provided with PATHWORKS Advanced Server.
Service | Description | Starts by Default | Can Be Paused | Can Be Stopped |
---|---|---|---|---|
Alerter | Notifies selected users and computers of administrative alerts that occur on this server. Used by the server and other services. | Yes | No | Yes |
Browser | Lists network entities, such as domains, computers, and shared resources. | Yes | No | Yes |
EventLog | Records system, security, and application events in the event logs, and enables remote access to those logs. Cannot be stopped separately; stops together with the Server service. | Yes | No | No |
NetLogon | Verifies the user name and password of each user who attempts to log on to the network or gain access to the server. Synchronizes security databases. | Yes | Yes | Yes |
Server | Provides file and print sharing. | Yes | Yes | No |
TimeSource | Identifies a server as the time server for a domain. Other computers synchronize their clocks with the time server. | No | No | Yes |
The Alerter, NetLogon, and TimeSource services can be enabled and
disabled using the SRVSERVICES keyword in the LANMAN.INI file, as
described in Appendix A, The LANMAN.INI File.
2.4.3.1 Displaying Services
As you manage your server, you may need to know the state of network services.
To display available services:
Use the SHOW SERVICES command. For example:
LANDOFOZ\\TINMAN> SHOW SERVICES Services on server "TINMAN": Service Current State -------------- --------------- ALERTER Started BROWSER Started EVENTLOG Started NETLOGON Started SERVER Started TIMESOURCE Total of 6 services LANDOFOZ\\TINMAN> |
Normally, the services that are listed in the SRVSERVICES keyword of the LANMAN.INI file are started when the server is started. To start a service that has been stopped, use the START SERVICE command. You must spell the service name in full. You must be logged on to a user account that has membership in the Administrator's group to perform these operations.
To start a service, use the START SERVICE command. For example:
LANDOFOZ\\TINMAN> START SERVICE TIMESOURCE %PWRK-S-SVCSTART, service "TIMESOURCE" started on server "TINMAN" LANDOFOZ\\TINMAN> |
You can suspend execution of the Server and NetLogon services. Unlike stopping a service, pausing does not cancel resource sharing or connections or change settings associated with the service.
Pausing the Server service prevents users from making new connections to the server's shared resources; however, users who have already connected to shared resources can continue to use the resources. To pause the Server service, you must be a member of the Administrators or Server Operators groups. Pausing the Server service does not prevent users who are members of the Administrators group from connecting to the service.
Use the PAUSE SERVICE command. For example:
LANDOFOZ\\TINMAN> PAUSE SERVICE SERVER Do you really want to pause service "SERVER" [YES or NO](YES): YES %PWRK-S-SVCPAUSE, service "SERVER" paused on server "TINMAN" LANDOFOZ\\TINMAN> |
Previous | Next | Contents | Index |