Previous | Contents | Index |
By auditing files and directories on a server, you can track their use and identify any attempted security violations. You can identify who took various types of actions with files and directories and hold those users accountable for their actions.
When a file or directory is audited, audit events are generated and written to the Advanced Server security log for all failed and successful attempts to perform the activities you want to audit.
Through the audit policy you set up, you can enable auditing on the server or domain for the types of directory and file access listed in Table 6-1.
Types of Directory Access | Types of File Access |
---|---|
Displaying contents of the directory | Displaying data in the file |
Displaying directory attributes | Displaying file attributes |
Changing directory attributes | Displaying the file owner and permissions |
Creating subdirectories and files | Changing the file |
Going to the directory's subdirectories | Changing file attributes |
Displaying the directory owner and permissions | Running the file |
Deleting the directory | Deleting the file |
Changing directory owner and permissions | Changing the file owner and permissions |
This chapter offers guidelines on how to set up and share printers in an Advanced Server domain. By planning printer access, you can maximize use of each printer and at the same time avoid printing delays.
Advanced Server printing offers the following features:
Because every network user has occasion to print, network print operations must be efficient and cost effective. The choices that you need to make may include the following:
A computer can act simultaneously as a print server and a file server. The decision to combine print and file servers may depend on security concerns. Although printers should always be available to their users, you may want to locate a file server in a secure place.
On a network of any size, you will most likely concentrate printer
installation at a few select computers. The only special hardware
requirement for print servers is that if you are using parallel or
serial printers, the print servers must have the correct output ports.
7.3 Print Shares
The Advanced Server makes printers available to network users through print shares. Generally, each print share points to a single print queue with the same name as the share. Permissions that you assign to the share are applied automatically to the associated print queue. A share can be accessed over the network by users who have the appropriate permissions, like any other shared resource. Four types of permissions apply to print shares: Print (the default), None (no access), Manage Documents, and Full (full control). For more information, see the section, Section 7.5, Ensuring Print Share Security.
For detailed information about creating, modifying, and managing print
shares, see your Server Administrator's Guide.
7.4 OpenVMS Print Queues
A queue allows users to submit jobs for printing, and in the Advanced Server, access to print queues is through associated print shares. Because the Advanced Server is based on OpenVMS, the print queues associated with Advanced Server print shares are OpenVMS print queues.
OpenVMS print queues include both generic and execution queues. Every OpenVMS printer is associated with one execution queue. In addition, you can use a generic queue when several like printers are available to the user. A generic queue can point to several execution queues and is used to distribute printer workload among several like printers (called a printer pool) by routing a print job to the first available printer through that printer's execution queue. In the Advanced Server, a queue that works like an OpenVMS generic queue is called a routing queue, and a queue that works like an OpenVMS execution queue is called a print queue.
A queue stores print jobs as users submit them. When a printer associated with the queue becomes available, the Advanced Server routes a job to that printer. Printers can be connected directly to the server by a serial or parallel port or directly to the network with a network adapter card. The server's queuing system, providing OpenVMS system information for handling print jobs, mediates between the Advanced Server and the printer so that print jobs can execute while users perform other tasks at their client workstations.
Figure 7-1 shows examples of the share and queue configurations you can create for Advanced Server.
Figure 7-1 Print Shares and Print Queue Configurations
You can share existing OpenVMS queues or create and share new ones. Be aware that Windows NT clients require that a share name and queue name be the same. If you cannot create a share name that equals the OpenVMS queue name (for example, the OpenVMS queue name is more than 12 characters long), you can define a shorter system logical name that equates to the name of the OpenVMS queue, then create a share using the logical name of the queue.
For detailed information about OpenVMS print queues, see the OpenVMS
documentation. For information on sharing queues and printers, see your
Server Administrator's Guide.
7.4.1 Network-Interface Printers
Unlike parallel and serial devices, printers with built-in network
adapter cards do not have to be adjacent to the print server.
Network-interface printers are attached to the network through a
built-in adapter card.
The location of this type of printer has no effect on printing
performance, providing that users and printers are not on opposite
sides of a network bridge. An Advanced Server print server can control a
virtually unlimited number of network-interface printers.
Figure 7-2 shows a network-interface printer configuration.
Figure 7-2 Configuring Network-Interface Printers
7.4.2 How a Shared Print Queue Operates
When a user sends a print job to a print queue through a print share,
the shared print queue sends the print job to the server's queuing
subsystem, which forwards the job to the appropriate printers.
The Advanced Server sends a message to the user indicating the share name and the job ID. The Advanced Server also notifies the user if there are problems with print jobs (if the printer is capable of such notification) or if there are changes in the status of print jobs (such as a pause in the queue).
The Advanced Server lets you create simple print shares that send print jobs to one printer and more sophisticated print shares associated with multiple queues or multiple printers of the same type. When setting up a print share, you should consider the following options:
You can configure print shares associated with print queues in a number of ways. In order of increasing complexity, these include:
You can control permissions on the print shares.
The following sections provide illustrations of the listed print share
configurations.
7.4.3.1 Single Print Share and Print Queue --- Single Printer
The simplest print configuration is one that sends print jobs through a single print share and execution queue to a single printer, as shown in Figure 7-3. To create such a configuration, you must add the print queue, then add a share that allows users to connect to the queue. You specify the same name for the share and for the queue that it points to. (Windows NT requires that the share and queue names be the same.)
The name of a share can be different from the name of the queue it points to in only one situation. If your only printing requirement is to allow users to submit print jobs from non-Windows NT clients, the names of shares and the queues they point to can be different.
Figure 7-3 Single Print Share and Print Queue --- Single Printer
7.4.3.2 Single Print Share with a Single Queue --- Multiple Printers
When print jobs are submitted through a share to a generic or routing
queue associated with multiple printers,
The Advanced Server searches for an available printer and automatically
routes a print job to the execution or print queue of the first
available printer. This is an efficient way to share a group of
printers of the same type (a printer pool). The Alerter service sends a
message to the user indicating when and on which printer the job was
printed.
To create a configuration that includes a generic or routing queue associated with multiple printers, you add a queue and a share with identical names and point the queue to a series of printers.
Figure 7-4 illustrates a single generic or routing queue associated with multiple printers.
Figure 7-4 Single Print Share with a Single Queue --- Multiple Printers
For information on how to share remote printers, see your Server Administrator's Guide.
7.4.3.3 Multiple Shared Queues --- Multiple Printers
You can assign two or more print shares and queues to the same printer or group of printers. This approach is especially useful if you configure the queues differently. For example, you can assign different permissions to different shares.
In the configuration shown in Figure 7-5, Queue A sends jobs to Printers X, Y, and Z; Queue B sends jobs only to Printer Y; and Queue C sends jobs to Printers Y and Z. This configuration offers flexibility and convenience both to the administrator who needs to set up different shares and queues for different purposes and to users who need a share and queue that routes jobs to the next available printer.
Figure 7-5 Multiple Shared Queues --- Multiple Printers
7.5 Ensuring Print Share Security
You can control printer usage through the Advanced Server by setting
permissions for each print share.
When you add or modify a print share, you specify the users or groups
allowed to access the share. The permissions that you set on a share
apply automatically to the queue that the share points to. Any changes
later made to share permissions automatically affect the permissions on
the associated queue.
By default, all the print shares you create are available to every network user (Everyone). Restricting access to a print share requires altering the share's permission settings for a particular group or user. To change permissions on a print share, you must have Full permission.
Four types of permissions apply to print shares:
Permissions granted directly to a user account and those granted by a
user's membership in one or more groups are cumulative; that is,
restrictions filter requests, and the most restrictive permissions
apply. The None (no access) permission overrides all other permissions.
7.6 Setting Up OpenVMS Printers
If a printer is on the network, you must set it up like any OpenVMS
printer. For information on setting up OpenVMS printers, see the
OpenVMS documentation.
7.7 Printing from MS-DOS Computers
Workstations running MS-DOS or versions of Windows for MS-DOS can access Advanced Server printers by redirecting their output ports to the correct \\server\sharename.
If you are sharing printers with MS-DOS workstations, share names must
be no more than eight characters, optionally followed by a period and
one to three characters.
7.8 Managing Print Queues and Print Jobs
The Advanced Server lets you display a single share, a single queue, a list of all of the server's print queues, or the print jobs in each queue. These capabilities are useful because you may need to stop sharing a print share or queue under any of the following circumstances:
In addition, the Advanced Server has the following capabilities for managing printers and print jobs:
For more information on how to control print jobs, see your Server Administrator's Guide.
This appendix discusses the basic differences you will encounter
between the Advanced Server and Windows NT Server in day-to-day
management of a network that includes both types of servers. These
differences include how individuals are assigned as administrators and
operators, how security works, and how resources permissions map
between the systems.
A.1 Management Tools
The Advanced Server provides the Windows NT server administration tools for managing the network. Using these tools, you can administer the Advanced Server from a Windows 95, Windows 98, or Windows for Workgroups client. You can also administer the Advanced Server from a Windows NT workstation computer that has the Windows NT server administration tools installed, and from a Windows NT Server computer. The tools can also be used to manage Windows NT Server.
Installable versions of the Windows NT server administration tools are
shared automatically by the Advanced Server.
A.1.1 User Account Information
User accounts in Advanced Server domains maintain the same user account
information as Windows NT Server accounts.
A.2 Services
The Advanced Server supports most Windows NT Server services. Table A-1 describes the Windows NT Server services that run on the Advanced Server.
Service | Description |
---|---|
Alerter | Notifies selected users and computers of administrative alerts on a computer. Used by the server and other services. Starts by default. |
EventLog | Records system, security, and application events in the event logs, and enables remote access to those logs. Starts by default. |
Net Logon | Verifies the user name and password of each person who attempts to log on to the network or gain access to the server. Starts by default. |
Server | Provides file, print, and named pipe sharing, and support for remote procedure calls. Starts by default. |
Time Source | Identifies a server as the domain time source. |
A.3 Resource Permissions
This section compares the user-level permission settings available in
Windows NT Server with the security settings that are available in the
Advanced Server, including file, directory, printer, and named pipe
settings. The Advanced Server does not support communication queues.
A.3.1 File and Directory Permissions
Advanced Server file and directory permissions are identical to Windows NT Server file and directory permissions. Both are typically applied in predefined sets, such as Full Control, Read, or Change.
The Advanced Server enhances the file and directory permissions on
Windows NT Server by offering the additional option of enforcing
OpenVMS security.
A.3.2 Printer Permissions
The Advanced Server and Windows NT Server implement identical printer
security. Permissions are assigned to print shares, through which the
user accesses print queues. The available printer permissions are
Print, None, Manage Documents, and Full on Advanced Servers; these
permissions correspond to Print, No Access, Manage Documents, and Full
Control on Windows NT Server.
A.4 Disk Resources Shared by Default
With Windows NT Server and Advanced Server, you can share directories and specify which users can access them. To share a directory, assign a share name to it.
Table A-2 shows share names (or disk resources) that typically are set up automatically in Windows NT Server and Advanced Server. The number of shared resources on your server will vary depending on your implementation.
Windows NT Server | Advanced Server | Description |
---|---|---|
ADMIN$ | ADMIN$ | A special administrative resource for remote administration. All share names that end in a dollar sign ($) are hidden; they do not normally appear when a user displays server resources. |
C$ | C$ | A connection to the root of the file system. On Windows NT Server, this is the local C device. On the Advanced Server, this is PWRK$LMROOT:[LANMAN]. |
d$ | device$ | An administrative share. On Windows NT Server, a single letter from D to Z followed by $ identifies the drive letter; on OpenVMS, the name of the disk device or directory followed by $ identifies the disk. |
IPC$ | IPC$ | Supports interprocess communication. |
LIB | N/A | Contains header files and link-time libraries needed to create applications. Not supported by Advanced Server. |
NETLOGON | NETLOGON | Shares the directory specified by scripts with the share name NETLOGON. |
REPL$ | N/A | On Windows NT Server, this directory is associated with the Directory Replicator service. It is available when the Directory Replicator service is active on the export server. Not supported by Advanced Server. |
USERS | USERS | Contains user home directories. |
Previous | Next | Contents | Index |