NT Data Server Security
NEW CONFIGURATION VALUE
In the Control Panel applet, there is an Allow Access checkbox that enables and disables Windows NT user logon and controls how the Data Server accesses files on behalf of the remote user.
USER AUTHENTICATION – SERVER
If Open Access is enabled (default), the Data Server will have the same access (on behalf of the remote user) as the account that started the Data Server. If Open Access is disabled, requiring that an NT User Logon operation be performed, the Data Server will have the same access as the remote user account.
The account that starts the NT Data Server and the remote user accounts require specific privileges to allow the user authentication (Open Access disabled) to work.
To set Privileges:
-
Start the User Manager (Start->Administrative Tools->User Manager).
-
Select User Rights (from menu Policies->User Rights).
-
Check the Show Advanced User Rights check box.
-
Select the appropriate User Right, Add button, and appropriate group/user.
The account that starts the Data Server requires the following privileges (the system account has these privileges by default):
Privilege |
Display Name |
SeTcbPrivilege |
Act as part of the operating system. |
SeAssignPrimary |
Replace a process level token. |
SeIncreaseQuota |
Increase quotas. |
SeServiceSid |
Log on as a service. |
The remote user account needs the following privilege:
Privilege |
Display Name |
SeBatchSid |
Log on as a batch job. |
User Authentication – Client
To support user authentication to NTDS 2.20 and beyond, a new User Definable Data Block (UDDB) must be populated before a connection (the first OPEN) is made to an NT Data Server. The UDDB can contain a simple string with a user= portion that overrides the default user id used by the Data Server, a passwd= section that allows for the specification of a password for authentication by the remote Data Server, and a domain= portion that would specify the domain to be used by the remote Data Server. Some examples are:
A$=STBL("!DSUDDB","user=janeb,passwd=dog,domain=basis")
A$=STBL("!DSUDDB","passwd=dog,domain=basis")
A$=STBL("!DSUDDB","passwd=dog")
From the client, use the PRO/5 OPEN verb to access a remote file. For example, the following opens the autoexec.bat file on the accounts host server:
open(1)"/<server,port=1100>autoexec.bat"