Autodesk Technology Managers Forum
Share your knowledge, ask questions, and engage with fellow CAD/BIM Managers.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Learning Win2000 Security

9 REPLIES 9
Reply
Message 1 of 10
Anonymous
198 Views, 9 Replies

Learning Win2000 Security

Can anyone suggest a primer for understanding how to set up users &
passwords, etc. I'm coming from win98 & have no clue. I'm muddling thru
the help files... We are a small office, half a dozen computers & people
whine about having to login & remember passwords. There aren't any big
security issues where users need to be restricted but I'd like to be
able to take advantage of the system if there are advantages. Otherwise
I might try & figure out how to disable some of this stuff? We will also
be setting up a VPN to a branch office, so I'm thinking the security
features may be important if outside users are coming into our system.

Thanks for any thoughts about how you have it set up or where I could
learn more.
9 REPLIES 9
Message 2 of 10
Anonymous
in reply to: Anonymous

If you are accessing files from a shared location (server), you must use
logins so multiple edits are avoided in a single file. This is even more
important with apps like Land Desktop that use project files in addition
to drawing files.

User names and login passwords can be automated once they are set up.
I'm sure the people who whine about security don't leave their keys in
the car at Wal-Mart

--
Karl M. Fuls PLS
Member of the Autodesk Discussion Forum Moderator Program

Paul Furman wrote:
>
> Can anyone suggest a primer for understanding how to set up users &
> passwords, etc. I'm coming from win98 & have no clue. I'm muddling thru
> the help files... We are a small office, half a dozen computers & people
> whine about having to login & remember passwords. There aren't any big
> security issues where users need to be restricted but I'd like to be
> able to take advantage of the system if there are advantages. Otherwise
> I might try & figure out how to disable some of this stuff? We will also
> be setting up a VPN to a branch office, so I'm thinking the security
> features may be important if outside users are coming into our system.
>
> Thanks for any thoughts about how you have it set up or where I could
> learn more.
Message 3 of 10
Anonymous
in reply to: Anonymous

"Paul Furman" wrote in message
news:3A5DEFCB.1709982A@edgehill.net...
> Can anyone suggest a primer for understanding how to set up users &
> passwords, etc. I'm coming from win98 & have no clue. I'm muddling thru

When folks complain about having to login I tell them "Hey, this will make
sure that you and only you are held accountable. Windows can track what you
do. This also helps keep you out of trouble." When I explain why they can't
tell Joe-Next-Cubicle what their login stuff is I ask them "Do you want the
responsibility of what Joe does while logged in as them?" Speak vaguely,
assuming they're not very computer savvy, of viruses and hacking and that
logins are a Good Thing (tm).

[Warning, sort of random, maybe sketchy and simplified]
There are two ways you can handle security (permissions to do things) - by
user or by group. I will assume you have decided to go with each user has
their own personal login name, which will make it easier if you have
something like Exchange Server so their login = their email login.

Example:
A hardrive with each job in a separate folder. In that folder there are
directories like "Admin" and "Drawings". Ex:
Job
Job\Admin
Job\Drawings

Situation 1:
Let's say you have some CAD-only folks you don't want changing stuff in the
job's "Admin" folder, but you do want them to be able to open the stuff as
read-only - say to view the drawing list or a task list. Also say
administrative-only folks have no business in the "Drawings" folder.

Option 1 - by user permissions:
Job: Cad1, Cad2, Admin1, etc = Read (to make folks use the sub folders for
storage)
Job\Admin: Cad1, Cad2, etc = Read (implied by root folder) Admin1, Admin2
= Change (full control can be a bit risky)
Job\Drawings: Cad1, Cad2, etc = Change Admin1, Admin2 = No Access
As you can tell this would become quite a chore to keep up.

Option 2 - by group permissions:
Job: CadGroup, AdminGroup = Read
Job\Admin: CadGroup = Read AdminGroup = Change
Job\Drawings: CadGroup = Change AdminGroup = No Access
This is easier because you simply create the groups, add users into that
group, and then assign permissions to those users in that group.

Situation 2:
Now let's add Bill the only engineer in the company. You have decided to go
with using Groups to assign permissions in the folders, but Bill needs to be
able to change stuff in "Admin" and view-only stuff in "Drawings".

Option1:
Add Bill to the AdminGroup and give him Read rights to the "Drawings" folder
via user permissions. This is not bad if you are sure no one else will be
hired or move up and need the same rights. You can mix User & Group
permissions.

Option 2:
Create an EngineerGroup and give it the appropriate rights to said folders
and add Bill to it. This allows you to easily add someone else to the group
and, by doing so, automatically give them the same permissions the group
enjoys.

Note on what permissions take precedence:
General rule is whatever permission gives the least restriction, ie most
access, takes precedence.
Example:
Jane is the manager for a project's drawings and she draws. This means she
needs access to the "Drawings" directory and rights to modify the drawing
list in the "Admin" folder. (Why is the drawing list in the admin folder?
Don't ask. )

Jane is only a member of CadGroup, but you have given her user rights to
change stuff
in the "Admin" folder. Change takes precedence because it is the least
restrictive.

Note on "local" permissions vs share permissions:
Assuming you have a certain computer that everyone accesses via shared
folders or drives (mapped to a drive or not) to get files. The permission
that is the most restrictive takes precedence.
Example:
The D-drive on the file "server" computer is shared as "Projects". If the
share permissions are CadGroup = Read and the "Job\Drawings" folder is
CadGroup = Change then Read takes precedence because it is the most
restrictive. This occurs even if Jane has the "Projects" share mapped to the
F-drive on her computer.

Typically with shares I give the group Authenticated Users, which everyone
is automatically a member of, Change permissions and then use the hardrive &
folder permissions to restrict them.

Difference between Authenticated Users, & Everyone - groups that don't
appear in User Manager but exist when you assign permissions:

Authenticated Users: When a user logs in to an NT or 2000 machine they have
been authenticated. Hence they are automatically a part of this group. It is
better to use this group than Everyone, see below. This group did not exist
until NT 4 service pack 3(?).

Everyone: Includes all users added in User Manager. However it also allows
for anonymous logins, which is why it is not a good idea to use this group.
See http://www.ntsecurity.net/ and look for Red Button.

Local default groups you see in User Manager - User, Domain User, Power
User, Administrator:
User = By default this group has no rights to install programs, change some
(NT 4) or almost all (2000) of the registry, change certain settings, and
create shares. They can change their desktop wallpaper & screen saver, add
shared printers that have the drivers setup, run-but-not-use administrative
tools. If a computer is part of a domain, the Domain User group will appear
in here.

Domain Users only appears on Windows NT 4 Server or Windows 2000 server
versions. When users are added on the "domain controller", ie the primary
server of a domain name (not the same as an internet domain, but more like
the group a workstation belongs to though not exactly), they automatically
are a part of this group.

Power User: Adds ability to share folders & printers, change a few more
settings, change more of the registry. Still cannot use the administrative
tools. Might be able to defrag in 2000, but I'm not sure. Note: In 2000
Professional to run AutoCAD your users will probably have to belong to this
group.

Administrator: Full rights to everything. Always install programs with this
right. Not recommended for daily use though. Has access to hidden
administrative shares, ie \\computer_name\c$, through the share via another
computer. I recommend, for the computer admin person, one login name for
administrating the computer(s) and one that's only in User or Power User.

What if I have a server, ie NT 4 Server or 2000 server version? How do I
give all users Power User permission only on the local computer and not the
server? (Not applicable in a peer-to-peer environment where the NT/2000
machines are only part of a group and not part of a domain):
On the server, add the users to the Domain User group.
Then, on each machine, add the Domain User group from the server to the
local Power User group.

In the case where a machine is part of a Domain, there is no need to also
setup logins on each machine via that machine's User Manager. The computer
will instead "look" at the server to get the login information.

Enjoy,
Stef
--
mailto: yodersj@ipass.net || Drafter, Leather-worker
http://www.ipass.net/~yodersj/ || Dos, Win, LT
in progress http://computerhowto.homestead.com/
RFC 1855, section 3.1.1, item 10 at http://www.faqs.org/rfcs/
Message 4 of 10
Anonymous
in reply to: Anonymous

Uhhhhh Ummmmm

I think I'm getting the jist but wow. I've got a headache now. 🙂

I'm hoping to be making the transition from 98 to 2000 sometime this year and reading these insights is exactly what I
like to see.

cj

"S. Yoder" wrote in message news:4EAC546101E88378180CBCAC047BCE3F@in.WebX.SaUCah8kaAW...
> "Paul Furman" wrote in message
> news:3A5DEFCB.1709982A@edgehill.net...
> > Can anyone suggest a primer for understanding how to set up users &
> > passwords, etc. I'm coming from win98 & have no clue. I'm muddling thru
>
> When folks complain about having to login I tell them "Hey, this will make
> sure that you and only you are held accountable. Windows can track what you
> do. This also helps keep you out of trouble." When I explain why they can't
> tell Joe-Next-Cubicle what their login stuff is I ask them "Do you want the
> responsibility of what Joe does while logged in as them?" Speak vaguely,
> assuming they're not very computer savvy, of viruses and hacking and that
> logins are a Good Thing (tm).
>
> [Warning, sort of random, maybe sketchy and simplified]
> There are two ways you can handle security (permissions to do things) - by
> user or by group. I will assume you have decided to go with each user has
> their own personal login name, which will make it easier if you have
> something like Exchange Server so their login = their email login.
>
> Example:
> A hardrive with each job in a separate folder. In that folder there are
> directories like "Admin" and "Drawings". Ex:
> Job
> Job\Admin
> Job\Drawings
>
> Situation 1:
> Let's say you have some CAD-only folks you don't want changing stuff in the
> job's "Admin" folder, but you do want them to be able to open the stuff as
> read-only - say to view the drawing list or a task list. Also say
> administrative-only folks have no business in the "Drawings" folder.
>
> Option 1 - by user permissions:
> Job: Cad1, Cad2, Admin1, etc = Read (to make folks use the sub folders for
> storage)
> Job\Admin: Cad1, Cad2, etc = Read (implied by root folder) Admin1, Admin2
> = Change (full control can be a bit risky)
> Job\Drawings: Cad1, Cad2, etc = Change Admin1, Admin2 = No Access
> As you can tell this would become quite a chore to keep up.
>
> Option 2 - by group permissions:
> Job: CadGroup, AdminGroup = Read
> Job\Admin: CadGroup = Read AdminGroup = Change
> Job\Drawings: CadGroup = Change AdminGroup = No Access
> This is easier because you simply create the groups, add users into that
> group, and then assign permissions to those users in that group.
>
> Situation 2:
> Now let's add Bill the only engineer in the company. You have decided to go
> with using Groups to assign permissions in the folders, but Bill needs to be
> able to change stuff in "Admin" and view-only stuff in "Drawings".
>
> Option1:
> Add Bill to the AdminGroup and give him Read rights to the "Drawings" folder
> via user permissions. This is not bad if you are sure no one else will be
> hired or move up and need the same rights. You can mix User & Group
> permissions.
>
> Option 2:
> Create an EngineerGroup and give it the appropriate rights to said folders
> and add Bill to it. This allows you to easily add someone else to the group
> and, by doing so, automatically give them the same permissions the group
> enjoys.
>
> Note on what permissions take precedence:
> General rule is whatever permission gives the least restriction, ie most
> access, takes precedence.
> Example:
> Jane is the manager for a project's drawings and she draws. This means she
> needs access to the "Drawings" directory and rights to modify the drawing
> list in the "Admin" folder. (Why is the drawing list in the admin folder?
> Don't ask. )
>
> Jane is only a member of CadGroup, but you have given her user rights to
> change stuff
> in the "Admin" folder. Change takes precedence because it is the least
> restrictive.
>
> Note on "local" permissions vs share permissions:
> Assuming you have a certain computer that everyone accesses via shared
> folders or drives (mapped to a drive or not) to get files. The permission
> that is the most restrictive takes precedence.
> Example:
> The D-drive on the file "server" computer is shared as "Projects". If the
> share permissions are CadGroup = Read and the "Job\Drawings" folder is
> CadGroup = Change then Read takes precedence because it is the most
> restrictive. This occurs even if Jane has the "Projects" share mapped to the
> F-drive on her computer.
>
> Typically with shares I give the group Authenticated Users, which everyone
> is automatically a member of, Change permissions and then use the hardrive &
> folder permissions to restrict them.
>
> Difference between Authenticated Users, & Everyone - groups that don't
> appear in User Manager but exist when you assign permissions:
>
> Authenticated Users: When a user logs in to an NT or 2000 machine they have
> been authenticated. Hence they are automatically a part of this group. It is
> better to use this group than Everyone, see below. This group did not exist
> until NT 4 service pack 3(?).
>
> Everyone: Includes all users added in User Manager. However it also allows
> for anonymous logins, which is why it is not a good idea to use this group.
> See http://www.ntsecurity.net/ and look for Red Button.
>
> Local default groups you see in User Manager - User, Domain User, Power
> User, Administrator:
> User = By default this group has no rights to install programs, change some
> (NT 4) or almost all (2000) of the registry, change certain settings, and
> create shares. They can change their desktop wallpaper & screen saver, add
> shared printers that have the drivers setup, run-but-not-use administrative
> tools. If a computer is part of a domain, the Domain User group will appear
> in here.
>
> Domain Users only appears on Windows NT 4 Server or Windows 2000 server
> versions. When users are added on the "domain controller", ie the primary
> server of a domain name (not the same as an internet domain, but more like
> the group a workstation belongs to though not exactly), they automatically
> are a part of this group.
>
> Power User: Adds ability to share folders & printers, change a few more
> settings, change more of the registry. Still cannot use the administrative
> tools. Might be able to defrag in 2000, but I'm not sure. Note: In 2000
> Professional to run AutoCAD your users will probably have to belong to this
> group.
>
> Administrator: Full rights to everything. Always install programs with this
> right. Not recommended for daily use though. Has access to hidden
> administrative shares, ie \\computer_name\c$, through the share via another
> computer. I recommend, for the computer admin person, one login name for
> administrating the computer(s) and one that's only in User or Power User.
>
> What if I have a server, ie NT 4 Server or 2000 server version? How do I
> give all users Power User permission only on the local computer and not the
> server? (Not applicable in a peer-to-peer environment where the NT/2000
> machines are only part of a group and not part of a domain):
> On the server, add the users to the Domain User group.
> Then, on each machine, add the Domain User group from the server to the
> local Power User group.
>
> In the case where a machine is part of a Domain, there is no need to also
> setup logins on each machine via that machine's User Manager. The computer
> will instead "look" at the server to get the login information.
>
> Enjoy,
> Stef
> --
> mailto: yodersj@ipass.net || Drafter, Leather-worker
> http://www.ipass.net/~yodersj/ || Dos, Win, LT
> in progress http://computerhowto.homestead.com/
> RFC 1855, section 3.1.1, item 10 at http://www.faqs.org/rfcs/
>
Message 5 of 10
Anonymous
in reply to: Anonymous

"CJ Follmer" wrote in message
news:EF745D8FDB3162BDA1317E8B5485E870@in.WebX.SaUCah8kaAW...
> Uhhhhh Ummmmm
>
> I think I'm getting the jist but wow. I've got a headache now. 🙂
>
> I'm hoping to be making the transition from 98 to 2000 sometime this year
and reading these insights is exactly what I
> like to see.

Now if you are a home user or basically not worried about security/user
rights, you can install Windows 2000 Professional so that it's security
setup is the same as Win9x - ie none.

Enjoy,
Stef
--
mailto: yodersj@ipass.net || Drafter, Leather-worker
http://www.ipass.net/~yodersj/ || Dos, Win, LT
in progress http://computerhowto.homestead.com/
RFC 1855, section 3.1.1, item 10 at http://www.faqs.org/rfcs/
Message 6 of 10
Anonymous
in reply to: Anonymous

We have a peer to peer setup. If we get a snap server, can access to those
folders be controlled by setting it up as a domain? I'm guessing not, that the
server would need to be an actual win2k machine. The server currently is a win98
workstation, so I might be able to control that if we had a domain? Or I can
only control my own machine? At this point I think we might just have everyone
be a power user except two administrators. The folks in the remote office would
need to be able to copy files to our folder so I guess they need to be users &
there is no way to keep them from deleting our files but I suppose that's OK, I
know & trust them... or I could set up a drop box folder for them to upload to.
Ah ha, I'm getting it now ; - )

Now, if we ever get the vpn going, we might even invite consultants or clients
to jump into our computers with read only acceess to the folders that relate to
their jobs. Now that's what I would call useful.

BTW, that was of course a verrry helpful little primer!
Message 7 of 10
Anonymous
in reply to: Anonymous

"Paul Furman" wrote in message
news:3A5E2040.FFF5051@edgehill.net...
> We have a peer to peer setup. If we get a snap server, can access to those
> folders be controlled by setting it up as a domain? I'm guessing not, that
the

My guess would be not because the Snap Server, I think, would look for the
domain controller for the permissions. But I'm not sure. Maybe someone who
has one can verify it for you.


> Or I can
> only control my own machine?
Yes, you'll only be able to setup users and assign rights per computer that
is NT/2000. Win9x shares only have the option of Read, Full, or
per-password. Though you can turn on "users" with Win9x, so each user's
desktop and certain application settings are per the login, you can't do
permissions like NT/2000.

> The folks in the remote office would
> need to be able to copy files to our folder so I guess they need to be
users &
> there is no way to keep them from deleting our files but I suppose that's
OK, I
> know & trust them... or I could set up a drop box folder for them to
upload to.
There are advanced permissions, ie more detailed, but they don't work quite
as smooth as Novell's do IMO. You can specify directory and/or file access
to be Read, Write, Execute, and Delete. So for the file permissions you
could have Read & Write. You may have to specify this for the directory
permissions as well, but I can't remember. Personally I'd do a drop box
folder for them.


> Now, if we ever get the vpn going, we might even invite consultants or
clients
> to jump into our computers with read only acceess to the folders that
relate to
> their jobs. Now that's what I would call useful.

And it could be dangerous. Say you have a drawing you are working on and
trying to figure out how to do something. What if they grab that one? First
it's in progress. Second you may have a few options drawn so which one
should they use? This is why we use our web site and specifically copy over
what we want others to be able to get at. Also, each contractor has their
own directory for the job so they can take care of their own files.

Enjoy,
Stef
--
mailto: yodersj@ipass.net || Drafter, Leather-worker
http://www.ipass.net/~yodersj/ || Dos, Win, LT
in progress http://computerhowto.homestead.com/
RFC 1855, section 3.1.1, item 10 at http://www.faqs.org/rfcs/
Message 8 of 10
Anonymous
in reply to: Anonymous

Take a look at e-smith. www.e-smith.com. It's easy to install and administer. It's a free
download. I use it for a server at home. It handles my e-mail, web, ftp, and file server needs.

Dan Elkins
Message 9 of 10
Anonymous
in reply to: Anonymous

Wow, that's enticing:
`It's so simple, it's hilarious'

Dan Elkins wrote:

> Take a look at e-smith. www.e-smith.com. It's easy to install and administer. It's a free
> download. I use it for a server at home. It handles my e-mail, web, ftp, and file server needs.
>
> Dan Elkins
Message 10 of 10
Anonymous
in reply to: Anonymous

"Paul Furman" wrote in message
news:3A5E7B4D.3255A78D@edgehill.net...
> Wow, that's enticing:
It's based off of Red Hat's Linux Distribution. As long as they've got the
install process pretty well prompted, it should be as easy as they claim. I
would, however, check and see when they will be updating with the new
kernel. Probably not needed in your case, but...

Enjoy,
Stef
--
mailto: yodersj@ipass.net || Drafter, Leather-worker
http://www.ipass.net/~yodersj/ || Dos, Win, LT
in progress: http://computerhowto.homestead.com/
RFC 1855, section 3.1.1, item 10 at http://www.faqs.org/rfcs/

Can't find what you're looking for? Ask the community or share your knowledge.

Post to forums  

Administrator Productivity


Autodesk Design & Make Report