Article ID: 86899 - View products that this article applies to.
This article was previously published under Q86899
The following information is taken from the "Getting Started with Microsoft LAN Manager Version 2.1" video included with the LAN Manager version 2.1 package.
LAN MANAGER NETWORKING CONCEPTS =============================== LOCAL AREA NETWORK ================== [For more information, see Chapter 1 of the "Microsoft LAN Manager's Administrator's Guide" (AG) and Chapter 2 of the "Microsoft LAN Manager Installation and Configuration Guide" (ICG).] A PC local area network consists of two or more PCs that have network adapter cards installed and are connected to each other by a system of communication media such as twisted pair telephone wiring or optical fiber. In addition to the base operating system, network software, such as LAN Manager, must be installed to facilitate communication and shared resource access among these networked PCs. NETWORK SERVICES ================ [For more information, see Chapter 2 of the AG and Chapter 2 of the "Microsoft LAN Manager Administrator's Reference" (AR).] LAN Manager is implemented as a series of services built around a core network communications engine. Standard Services ----------------- Each service performs a major network function. The standard LAN Manager package includes all of the services listed here: - Server - Workstation - Netlogon - Replicator - Timesource - Alerter - Messenger - Netpopup - Netrun - UPS - Remoteboot - Fault Tolerance - SNMP - NVAlert - Netware Connectivity - Tape Backup Included among these are the Server service, which enables a PC to make its resources available to users on other network PCs; and the workstation service, which enables network users to access the server's shared resources. Optional Services and Utilities ------------------------------- In addition to the standard services, the LAN Manager product line includes a number of optional services and utilities that may be purchased separately: - Services For Macintosh - Remote Access Service - TCP/IP Utility Suite with Socket API - 3Com Migration Toolkit - LAN Manager Programmer's Toolkit - LAN Manager Visual Basic Programmer's Toolkit The Remote Access Service (RAS), for example, supports dial-in network access from remote workstations. Custom Services and Applications -------------------------------- Because the LAN Manager architecture is based on standard operating systems such as MS-DOS, Windows, and OS/2, you can use the LAN Manager programmer's toolkits (LAN Manager Programmer's Toolkit and LAN Manager Visual Basic Programmer's Toolkit) to quickly and easily develop your own custom network services and applications: - My Service - Your Service - His Network Application - Her Network Application In fact, Microsoft and its development partners have used the LAN Manager Programmer's Toolkit to develop a couple of client-server network applications that Microsoft is pretty proud of: - Microsoft SQL Server - DCA/Microsoft Comm Server WORKSTATION SERVICE =================== [For more information, see Chapters 1 and 2 of the AG.] As you install LAN Manager on each PC, you'll select the services you want to run on that computer. All network PCs will be configured to run at least the Workstation service, which enables access to network resources. When the Workstation service is installed, a computer name (COMPUTERNAME) must be provided that will uniquely identify the PC on the network. Examples of computer names are WORK1, SERVER1, and WORK2. SERVER SERVICE ============== [For more information, see Chapters 2 and 3 of the AG.] At least one of the PCs on your network will be configured to run the Server service. Although a PC running the Server service is often referred to as a "server," it's important to note that with LAN Manager, when a PC is running the Server service, it also continues to run the Workstation service and thus retains full functionality as a network workstation. The Server service enables the PC to make its resources, such as disks, printers, and modems, available to users on other workstations. An important feature of LAN Manager is the ability of the Server service to make a very special resource available. This is the Inter- Process Communication (IPC) resource, which enables networked Named Pipes. A Named Pipes connection between two network PCs allows applications running on the two computers to exchange information directly, without having to write to, or read from the file system. Named Pipes are the foundation for LAN Manager's superior client server architecture. In LAN Manager, setting up a server resource to make it available to network users is called "sharing" the resource. A shared resource, or "share," is assigned a name called the "share name." For example, the WORDDATA directory on SERVER1's hard disk might be shared with the share name WDOC. Share List: Share Name Resource ---------- -------- WDOC c:\worddata Users connect to the share by specifying a local device identifier, such as a drive letter or a printer port, along with the server name and the name of the share to which they want to associate the specified device identifier. This local device connection to a shared server resource is called "using" the share, and the resulting connection is referred to as a "USE." For example, to connect to the WDOC share on SERVER1, a user on WORK2 specifies the unused local drive letter H, the server name SERVER1, and the share name WDOC. The user on WORK2 can now access the directories and files within SERVER1's WORDDATA directory just as if they were being accessed from a locally installed H drive: USE List: Local Drive Letter Server Name Share Name ------------------ ----------- ---------- H: SERVER1 WDOC RESOURCE SECURITY ================= [For more information, see Chapters 3, 4, and 5 in the AG.] Because connection to the network potentially allows any network user to access the server's shared resources, the server must control this access to ensure that only users who have the proper permission can access these resources. When you install LAN Manager, you will be able to choose between two available security schemes to implement this access control. These two schemes are share level and user level security. Share Level Security ==================== [For more information, see Chapter 5 in the AG.] Share level security is a simple security scheme whereby the server allows optional assignment of a password to each share. Any network user that can supply the correct password can then access the share. Owing to the minimal security offered by share level, this security scheme is typically not recommended, and will not be covered in this article. If you need more information on share level security, refer to Chapter 5 of the AG. User Level Security =================== [For more information, see Chapters 3 and 4 in the AG.] User level security permits a much higher level of control over access to server resources. With user security, you can control which users have access to which resources. A user security server maintains a user accounts database with an account for each network user who may want to access the server's resources. The user account contains the user name, password, and other information such as privilege level, which is referred to later in this article. For example, the SERVER1 user accounts database: Name Password ---- -------- Jill jillpass Ted tedpass To make administration easier, group names can be established in the user accounts database, with selected users with similar resource access needs assigned as members of a specific group. In addition to the user accounts database, an access control list is maintained for each server resource. This list specifies what permissions a user or group has been given for the resource. For example, the SERVER1 user accounts database's access control list for C:\WORDDATA: User Account Access Permissions ------------ ------------------ Jill Read only Ted Read, Write, Create, and Delete When a user attempts to connect to or "use" a server share, the server first checks to see if the user's name exists in the user accounts database. If so, the user's password is checked. If both of these security checks pass, the connection completes and the user is allowed access to the shared resource according to the user's permissions in the resource's access control list. For example, users Jill and Ted could both successfully connect to the WDOC share because their names and passwords passed the initial security test. However, user account Jill has been assigned read-only permissions to the WORDDATA directory, so Jill cannot make any changes to files within that directory. User account Ted, on the other hand, has been assigned read, write, create, and delete privileges to the same directory. Local Security -------------- [For more information on local security, see Chapters 3 and 4 in the AG.] An extension of user security is the LAN Manager local security feature. Local security extends the control of user-level security to users working directly on the server. Thus, user security with local security enabled imposes the same resource access control on all users, even those who have direct access to the server's keyboard. PRIVILEGE LEVELS ================ [For more information, see Chapters 3 and 4 in the AG.] In addition to controlling which users can access which resources, LAN Manager must also control which users have rights to perform server administration functions such as creating shares, adding users, and assigning resource access permissions. When user accounts are created, each user is assigned one of three privilege levels: administrator, user, or guest. Admin Privilege --------------- The administrator, or admin privilege, is the highest privilege level on a LAN Manager network. An admin can stop and start server services, establish and modify user accounts and groups, create and delete resource shares, and assign user and group permissions for accessing shared resources. By default, admins have full access permissions on all server resources. For the admin's convenience, LAN Manager has been designed to allow server administration procedures to be performed not only at the server itself, but also remotely from any workstation on the network. User Privilege -------------- User privilege is the default privilege level and is the one that is assigned to most users. This privilege allows a user to use shared server resources (subject, of course, to the user's assigned access permissions) view information about these resources, and send and receive messages. Guest Privilege --------------- The guest privilege is similar to user privilege, but is intended to be assigned to infrequent or temporary users of the server. Each server has a special user account called GUEST. An administrator may explicitly assign resource access permissions for the special GUEST account. When a user with guest privileges accesses a share, that user will automatically inherit the resource access permissions that have been assigned to the special GUEST account.
Article ID: 86899 - Last Review: September 30, 2003 - Revision: 3.0
Retired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.