LAN MANAGER NETWORKING CONCEPTS ===============================LOCAL AREA NETWORK==================[For more information, see Chapter 1 of the "Microsoft LAN Manager'sAdministrator's Guide" (AG) and Chapter 2 of the "Microsoft LANManager Installation and Configuration Guide" (ICG).]A PC local area network consists of two or more PCs that have networkadapter cards installed and are connected to each other by a system ofcommunication media such as twisted pair telephone wiring or optical fiber.In addition to the base operating system, network software, such asLAN Manager, must be installed to facilitate communication and sharedresource access among these networked PCs.NETWORK SERVICES================[For more information, see Chapter 2 of the AG and Chapter 2 of the"Microsoft LAN Manager Administrator's Reference" (AR).]LAN Manager is implemented as a series of services built around a corenetwork communications engine.Standard Services-----------------Each service performs a major network function. The standard LANManager package includes all of the services listed here: - Server - Workstation - Netlogon - Replicator - Timesource - Alerter - Messenger - Netpopup - Netrun - UPS - Remoteboot - Fault Tolerance - SNMP - NVAlert - Netware Connectivity - Tape BackupIncluded among these are the Server service, which enables a PC tomake its resources available to users on other network PCs; and theworkstation service, which enables network users to access theserver's shared resources.Optional Services and Utilities-------------------------------In addition to the standard services, the LAN Manager product lineincludes a number of optional services and utilities that may bepurchased separately: - Services For Macintosh - Remote Access Service - TCP/IP Utility Suite with Socket API - 3Com Migration Toolkit - LAN Manager Programmer's Toolkit - LAN Manager Visual Basic Programmer's ToolkitThe Remote Access Service (RAS), for example, supports dial-in networkaccess from remote workstations.Custom Services and Applications--------------------------------Because the LAN Manager architecture is based on standard operatingsystems such as MS-DOS, Windows, and OS/2, you can use the LAN Managerprogrammer's toolkits (LAN Manager Programmer's Toolkit and LANManager Visual Basic Programmer's Toolkit) to quickly and easilydevelop your own custom network services and applications: - My Service - Your Service - His Network Application - Her Network ApplicationIn fact, Microsoft and its development partners have used the LANManager Programmer's Toolkit to develop a couple of client-servernetwork applications that Microsoft is pretty proud of: - Microsoft SQL Server - DCA/Microsoft Comm ServerWORKSTATION SERVICE===================[For more information, see Chapters 1 and 2 of the AG.]As you install LAN Manager on each PC, you'll select the services youwant to run on that computer. All network PCs will be configured torun at least the Workstation service, which enables access to networkresources.When the Workstation service is installed, a computer name (COMPUTERNAME)must be provided that will uniquely identify the PC on the network.Examples of computer names are WORK1, SERVER1, and WORK2.SERVER SERVICE==============[For more information, see Chapters 2 and 3 of the AG.]At least one of the PCs on your network will be configured to run theServer service. Although a PC running the Server service is often referredto as a "server," it's important to note that with LAN Manager, when a PCis running the Server service, it also continues to run the Workstationservice and thus retains full functionality as a network workstation.The Server service enables the PC to make its resources, such asdisks, printers, and modems, available to users on other workstations.An important feature of LAN Manager is the ability of the Serverservice to make a very special resource available. This is the Inter-Process Communication (IPC) resource, which enables networked NamedPipes.A Named Pipes connection between two network PCs allows applicationsrunning on the two computers to exchange information directly, withouthaving to write to, or read from the file system. Named Pipes are thefoundation for LAN Manager's superior client server architecture.In LAN Manager, setting up a server resource to make it available tonetwork users is called "sharing" the resource. A shared resource, or"share," is assigned a name called the "share name." For example, theWORDDATA directory on SERVER1's hard disk might be shared with theshare name WDOC. Share List: Share Name Resource ---------- -------- WDOC c:\worddataUsers connect to the share by specifying a local device identifier,such as a drive letter or a printer port, along with the server nameand the name of the share to which they want to associate the specifieddevice identifier. This local device connection to a shared serverresource is called "using" the share, and the resulting connection isreferred to as a "USE." For example, to connect to the WDOC share onSERVER1, a user on WORK2 specifies the unused local drive letter H, theserver name SERVER1, and the share name WDOC. The user on WORK2 can nowaccess the directories and files within SERVER1's WORDDATA directory justas if they were being accessed from a locally installed H drive: USE List: Local Drive Letter Server Name Share Name ------------------ ----------- ---------- H: SERVER1 WDOCRESOURCE SECURITY=================[For more information, see Chapters 3, 4, and 5 in the AG.]Because connection to the network potentially allows any network userto access the server's shared resources, the server must control thisaccess to ensure that only users who have the proper permission canaccess these resources.When you install LAN Manager, you will be able to choose between twoavailable security schemes to implement this access control. These twoschemes are share level and user level security.Share Level Security====================[For more information, see Chapter 5 in the AG.]Share level security is a simple security scheme whereby the serverallows optional assignment of a password to each share. Any networkuser that can supply the correct password can then access the share.Owing to the minimal security offered by share level, this securityscheme is typically not recommended, and will not be covered in thisarticle. If you need more information on share level security, referto Chapter 5 of the AG.User Level Security===================[For more information, see Chapters 3 and 4 in the AG.]User level security permits a much higher level of control over accessto server resources. With user security, you can control which usershave access to which resources.A user security server maintains a user accounts database with an accountfor each network user who may want to access the server's resources. Theuser account contains the user name, password, and other information suchas privilege level, which is referred to later in this article. Forexample, the SERVER1 user accounts database: Name Password ---- -------- Jill jillpass Ted tedpassTo make administration easier, group names can be established in theuser accounts database, with selected users with similar resourceaccess needs assigned as members of a specific group.In addition to the user accounts database, an access control list ismaintained for each server resource. This list specifies what permissionsa user or group has been given for the resource.For example, the SERVER1 user accounts database's access control listfor C:\WORDDATA: User Account Access Permissions ------------ ------------------ Jill Read only Ted Read, Write, Create, and DeleteWhen a user attempts to connect to or "use" a server share, the serverfirst checks to see if the user's name exists in the user accountsdatabase. If so, the user's password is checked. If both of thesesecurity checks pass, the connection completes and the user is allowedaccess to the shared resource according to the user's permissions inthe resource's access control list.For example, users Jill and Ted could both successfully connect to theWDOC share because their names and passwords passed the initialsecurity test. However, user account Jill has been assigned read-onlypermissions to the WORDDATA directory, so Jill cannot make any changesto files within that directory. User account Ted, on the other hand,has been assigned read, write, create, and delete privileges to thesame directory.Local Security--------------[For more information on local security, see Chapters 3 and 4 in theAG.]An extension of user security is the LAN Manager local security feature.Local security extends the control of user-level security to users workingdirectly on the server. Thus, user security with local security enabledimposes the same resource access control on all users, even those who havedirect access to the server's keyboard.PRIVILEGE LEVELS================[For more information, see Chapters 3 and 4 in the AG.]In addition to controlling which users can access which resources, LANManager must also control which users have rights to perform serveradministration functions such as creating shares, adding users, andassigning resource access permissions.When user accounts are created, each user is assigned one of threeprivilege levels: administrator, user, or guest.Admin Privilege---------------The administrator, or admin privilege, is the highest privilege levelon a LAN Manager network. An admin can stop and start server services,establish and modify user accounts and groups, create and delete resourceshares, and assign user and group permissions for accessing sharedresources.By default, admins have full access permissions on all server resources.For the admin's convenience, LAN Manager has been designed to allow serveradministration procedures to be performed not only at the server itself,but also remotely from any workstation on the network.User Privilege--------------User privilege is the default privilege level and is the one that isassigned to most users. This privilege allows a user to use shared serverresources (subject, of course, to the user's assigned access permissions)view information about these resources, and send and receive messages.Guest Privilege---------------The guest privilege is similar to user privilege, but is intended tobe assigned to infrequent or temporary users of the server. Eachserver has a special user account called GUEST. An administrator mayexplicitly assign resource access permissions for the special GUESTaccount.When a user with guest privileges accesses a share, that user willautomatically inherit the resource access permissions that have beenassigned to the special GUEST account.
Article ID: 86899 - Last Review: 09/30/2003 17:13:57 - Revision: 3.0