NETWARE 3.

12 Installation
Page references in this section refer to Chapter 15: CNE Training Guide: Networking Technologies, 3rd. Ed. Debra Niedermiller-Chaffins.

INSTALLATION -

Hardware Configuration: Do you have enough Memory, Disk Space HARD DRIVES: Types of hard drives: 1) IDE - Integrated Drive Electronics 2) ESDI - Enhanced Small Device Interface 3) SCSI - Small Computer Systems Interface
The hard disk must be partitioned. Usually, there will already be a DOS partition on the hard disk taking up the entire disk. You will want to repartition the hard disk using FDISK to create a 10 MB partition for DOS. The remainder of the disk will be used for Netware. BEFORE CREATING A NEW DOS PARTITION: 1) Partitioning destrory your operatinf gystem on the hard disk. Copy the MS-ysytem files that will allow you to reboot is necessary.2) Make a boot disk (that will contain COMMAND.COM). This will get you back up and running if you have to re-boot MS-DOS. Be sure that the boot disk contains: COMMAND.COM FORMAT.COM FDISK.EXE 3) Make sure that you have a copy of the CD ROM driver if you intent to use the CD-ROM for Netware installation. 4) Make sure you have a copy of CONFIG.SYS and AUTOEXEC.BAT

NETWORK INTERFACE CARD: 1) You usually have to set the IRQ & the I/O Address. To check existing use of Interrupt and port addresses use COMCHECK diagnostic supplied by Novell. INSTALLING NETWARE 3.12Creating a DOS Partition: Run FDISK from e MS-DOS. FDISK: Option 3- delete any existing partitions on the hard drive. Option 1- Create a primary partition DOS partition on the hard drive of approximate size of 10 M Bytes. Option 2- Make the DOS partition active. REBOOT using SYSTEM-1 diskette. FORMAT the newly partitioned drive. A:>format C:/X/S The new 10MB DOS partition has now been formatted. After the new DOS partition has been created, copy the MS-DOS system back onto the new DOS partition.

On the HOST machine, the CONFIG.SYS file should read as such: Notice that the line containing EMM386.EXE is commented out. Netware doesn't want any reference to memory management since they handle during installaton! Typical CONFIG.SYS DEVICE=c:DWCFGMG.SYS DEVICE=c:HIMEM.SYS DEVICEHIGH=c:POWER.EXE rem DEVICE=C:EMM386.EXE NOEMS X=F000-F7FF DEVICEHIGH=c:SETVER.EXE DEVICEHIGH=c:IFSHLP.SYS

DOS=HIGH,UMB STACKS=9,256 FILES=50 BUFFERS=10 LASTDRIVE=Z DEVICEHIGH=c:MTMCDAI.SYS /D:MTMIDE01 Typical AUTOEXEC.BAT Notice that the line to start the server have been commented out! The student should do that manually! @ECHO OFF LH c:MSCDEX.EXE /S /D:MTMIDE01 /M:10 PROMPT $P$G LH c:SMARTDRV.EXE 2048 128 SET MSINPUT=c:\MSINPUT rem :BEGIN_SERVER rem C: rem cd C:\SERVER.312 rem SERVER rem :END_SERVER

NETWARE INSTALLATION 1) Boot the MS-DOS system from C: 2) Go into D:\NETWARE.312\ENGLISH D: D:> cd \netware.312\english 3) Run INSTALL.BAT D:>INSTALL INSTALL NEW NETWARE 3.12 [Y] Retain Current Disk Partitions [Y] a)Name the server: <see pg 739> MY_SERVER b)IPX INTERNAL NETWORK NUMBER <see pg. 741, pg.402> Each Netware 3.x server must conform to an internal network number which produces an address for routing traffic inside the server itself. No hardware is associated with this number. It must be unique for each server on an internet. It will consist of 8 HEX digits. Please make a note of this number. You may need it later. After installation, this number will appear in AUTOEXEC.NCF as follows: The system will assign an IPX number. IPX INTERNAL NET 300ACE2C c) Specify the target directory: C:\SERVER.312 COPYING Server boot files to DOS Partition COUNRTY CODE: 001 (United States of America) CODE PAGE: 437 (UNited States English) KEYBOARD MAPPING: NONE <F10> to accept

d) Choose one of two file formats: Netware supports 2 file formats, MS-DOS file format, in which all MSDOS files will be compatible, and a Netware File format <see pg. 744>. I believe it is best to stay with the MS-DOS format. e) Two file contain configuration information to be used by the SERVER when started, STARTUP.NCF & AUTOEXEC.NCF. Both are stored in \SYSTEM. This option will allow you to change or add commands to these files. SAY NO! It may be done at a later time. f) Specify whether or not AUTOEXEC.BAT should start the server. This option merely adds the command to AUTOEXEC.BAT to run SERVER.EXE JUST SAY NO! It may be entered into AUTOEXEC.BAT at a later time. For now, we want to start the server manually, not when the system is booted! -NA prevents AUTOEXEC.NCF from executing -NS prevents STARTUP.NCF from executing -C modify CACHE buffer size Now, SERVER.EXE will be invoked: Loading MY_SERVER

MORE BACKGROUND INFORMATION: CACHE BUFFER SIZE - Performance may be enhanced by increasing this parameter to 8K, 16K. The default is 4K bytes. It should match the Block Allocation Size. Having a CACHE BUFFER Size GREATER than the BLOCK ALLOCATION SIZE will decrease performance and waste memory. This parameter may be changed in STARTUP.NCF using the following: SET CACHE BUFFER SIZE = n BLOCK ALLOCATION SIZE: Files are stored on disk in disk blocks. The size of these blocks can be set to different sizes. When a block allocation size is set to 8K Bytes and a file is 3K Bytes, then 5K bytes are wasted. When the block allocation size is set too low, there is greater CPU overhead in handling (reading/writing) large files. The default size is 4K Bytes, although the block allocation size may be set to 8K (8192), or 16K (16384) and may be changed through INSTALL.NLM (VOLUME OPTIONS). BE CAREFUL!!! changing this option is destructive to any existing files. If you intend to change this parameter, you must perform a backup. Be WISE! Leave it at the default 4K Bytes. Now the SERVER.EXE is running and you will get the prompt, MY_SERVER: < Now Load the IDE drivers>

MY_SERVER: load isadisk <Use this one if in doubt or PC's> I/O PORT:1F0 <Enter> Supported Interrupts... INTERRUPT NUMBER: E <Enter> NOW: Start the actual installation. MY_SERVER: load install <Enter> INSTALLATION OPTIONS: <pg. 752> [DISK OPTIONS] Volume Options System Options Product Options Exit

AVAILABLE DISK OPTIONS Format [PARTITION TABLE] Mirroring Surface Test Return To Main Menu

PARTITION OPTIONS [CHANGE HOT FIX] Create Network Partition Delete Partition Return To Main Menu

HOT FIX - is used with Netware "read-after-write" verification function to verify if data just written to disk matches data in memory. If different, HOT FIX will lodge this into the hard disk's Bad Block Table (to disable these bad blocks from being used again). This option allows modification of the size of the Hot Fix Redirection Area. This is a percentage of available disk space reserved for this redirection of Bad Blocks (pg. 634). Novell suggest not to make it smaller than the default. PARTITION OPTIONS Change Hot Fix [CREATE NETWORK PARTITION] Delete Partition Return To Main Menu

Create Network Partition [Y] CREATE NETWARE PARTITION - Displays the available disk space. You are allowed only 1 Netware Partition per disk. Ordinarily, all free space on each disk is used. Create a Netware Partition, and return to INSTALLATION OPTIONS. Next, Create Volumes. INSTALLATION OPTIONS: Disk Options [VOLUME OPTIONS] System Options Product Options Exit <INS> for New Volume: Volume Name: SYS The first Netware volume must have the name SYS. Volume Block SIze is the BLOCK ALLOCATION SIZE just leave at 4K. Volume Block Size: 4K Volume Segment: <Enter> VOLUME SEGMENTS <INSERT KEY> NEW VOLUME SEGMENTS SIZE 4K BLOCKS: 25600 <Enter> This creates a volumes of 100 MBytes

Add New Segment To Vol < YES>

Initial Segment Size: 25600 Blocks (is approx 100M Bytes) Initial Segment Size: 10000 Blocks (is approx 40M Bytes) TO ACCEPT <ESC> A volume will occupy a partition ( or a part of it), or a volume may cover more than one disk. Think of a volume as a "virtual" disk or a "logical" disk. By mounting a volume you can place a logical disk on-line. By unmounting a volume a disk may be placed off-line, making it unavailable for use.

CREATE VOLUME: YES STATUS: [MOUNTED] Repeat the above and create Volume APPL for Applications: Repeat the above and create Volume USERS for users: Next, go to SYSTEM OPTIONS to copy system files to SYS volume INSTALLATION OPTIONS: Disk Options Volume Options [SYSTEM OPTIONS] Product Options Exit AVAILABLE SYSTEM OPTIONS [COPY SYSTEM AND PUBLIC FILES] Create AUTOEXEC.NCF File Create STARTUP.NCF File Edit AUTOEXEC.NCF File Edit STARTUP.NCF File Return To Main Menu Copy files to the new server. INSERT Netware 3.12 INSTALL Diskette in A: <esc to Abort> <Enter to Continue> < Press F6 if CD-ROM> If installing from CD-ROM SPECIFY DRIVE... D:\NETWARE.312\ENGLISH If all goes well then: FILE UPLOAD COMPLETE <ESC> to get back to menu AVAILABLE SYSTEM OPTIONS COPY SYSTEM AND PUBLIC FILES Create AUTOEXEC.NCF File Create STARTUP.NCF File Edit AUTOEXEC.NCF File Edit STARTUP.NCF File [Return To Main Menu]

NEXT LOAD LAN DRIVERS: <Alt+Esc> will get you back to SERVER Console prompt. MY_SERVER: load ne2000 Port: 340 Interrupt: A MY_SERVER:bind ipx to ne2000 Network Number: 1 <Alt+Esc> will get you back to Installation Menu. Back to INSTALL: INSTALLATION OPTIONS: Disk Options Volume Options [SYSTEM OPTIONS] Product Options Exit AVAILABLE SYSTEM OPTIONS COPY SYSTEM AND PUBLIC FILES [Create AUTOEXEC.NCF File] Create STARTUP.NCF File Edit AUTOEXEC.NCF File Edit STARTUP.NCF File Return To Main Menu Save AUTOEXEC.NCF [Y] AVAILABLE SYSTEM OPTIONS COPY SYSTEM AND PUBLIC FILES Create AUTOEXEC.NCF File [Create STARTUP.NCF File] Edit AUTOEXEC.NCF File Edit STARTUP.NCF File Return To Main Menu Save STARTUP.NCF [Y] Return to MAIN MENU: MY_SERVER: DOWN MY_SERVER: EXIT REBOOT from C: Disk C:>cd server.312 Look at AUTOEXEC.NCF Look at STARTUP.NCF C:\SERVER.312>server TO START SERVER

IMPORTANT NOTE:POSSIBLE ALLOCATION ERROR When you map a drive, it becomes a part of your Command Interpreter environment. If your environment is too small, you will get Environment Allocation ERRORS when the mapping scripts are executed. If this happens, you can expand your COMMAND INTERPRETER ENVIRONMENT using the SHELL command in CONFIG.SYS: SHELL=C:\COMMAND.COM /E:1024 /P Placed in the CONFIG.SYS file, this command above will tell the system where the proper COMMAND INTERPRETER is located. /E:1024 will expand the environment space to 1024 BYTES and /P will make this copy of the COMMAND INTERPRETER permanent. Also, /P used in CONFIG.SYS will direct the system to execute AUTOEXEC.BAT before bootup is complete.
FRAME TYPES: Netware 3.12 supports 4 different Ethernet frame types which are associated with the various Ethernet standards. Ethernet_802.2 Ethernet_802.3 Ethernet_SNAP Ethernet_II Unfortunately, the naming of these Netware Ethernet frame type causes a great deal of confusion, and it is the purpose of the following to clear up this confusion. Novell began developing its LAN technologies from Xerox's development of Ethernet. This was before the IEEE 802.3 standard. Novell developed proprietary version of what was to be the IEEE 802.3 standard before it was finalized. When IEEE did finish its 802.3 standard, it varied from the Novell version of 802.3. Therefore, Novell's version of 802.3 (you will see it listed as ETHERNET_802.3) is not compliant with the IEEE 802.3 Ethernet standard. The 2 versions are incompatible. Later, Novell developed ETHERNET_802.2 which is fully compatible with the IEEE 802.3 Ethernet. About the same time, the Unix environment was developing its own Ethernet standards which supported TCP/IP protocols: Ethernet_SNAP (Sub Network Address Protocol) standard and is now used in Token Ring and Apple Talk II. Later Ethernet_II was developed as an improvement over Ethernet_SNAP. It too supports the TCP/IP protocol and thus can be used to communicate with the Unix environment. SUMMARY: Ethernet_802.2 Ethernet_802.3 Ethernet_SNAP Ethernet_II

--Compliant with the IEEE 802.3 Ethernet Standard. This is the default frame type with Netware 3.12 & 4.0, 4.1 --Not Compliant with the IEEE 802.3 Ethernet Standard. This is the default frame type with older releases of Netware 2.2 & 3.11 --Developed to work with TCP/IP in the Unix environment. Compatible with Token Ring and Apple Talk II. --Supports TCP/IP. Compatible with most Unix installations

Understanding Client Connection IPX/SPX The Novell Netware environment is denoted as the IPX/SPX environment. You will see this nomenclature used often with other networking environments (TCP/IP under UNIX and NetBEUI under Windows NT). Now is a good time to start getting used to the abbreviations. IPX is the INTERNETWORK PACKET PROTOCOL which is contained in the file IPX.COM. IPX performs: 1) RIP (Routing Information Protocol)-a) to assist clients in locating the fastest routes to a network device by broadcasting a route request. b) Detect a change in a network configuration. c) Respond to request from clients. d) request information from other routers to update tables. 2) SAP (Service Advertising Protocol)-a) Broadcast services & address of gateways, servers, print servers to clients who need to know the availability and address of nodes. b) NCP (Netware Core Protocol)- monitors connection control and service requests. (Acts as a session layer-- p410.) NETX NETx.COM is a SHELL which enables application on the PC to communicate with Netware. Over the years there have been different versions: NET2.COM NET3.COM NET4.COM NET5.COM. These are referred to collectively as NETx.COM. NETX.COM is a universal shell which was developed after DOS 5.0. When DOS 6.0 was released, NETX.COM became NETX.EXE and works with DOS 2-6. Thus the universal NETx program is named NETX.EXE ODI Drivers & VLM'S ODI (Open Data link Interface) was developed by Novell and Apple in 1989. Novell currently is pushing the use of ODI and has discontinued further development of IPX.COM since June 1992. ODI modules enhance the functioning of IPX.COM and NETX.EXE. To use ODI modules, be sure that the interface card is certified to run with ODI drivers. Using ODI, your network can run multiple protocols at the same cable. This allows devices that use different communication protocols to co-exist on one network. FOR EXAMPLE: Both TCP/IP and IPX can run at the same computer using the same NIC (Network Interface Card). This allows a user to currently access servers from a Netware server using IPX and a Unix host using TCP/IP on the same NIC. ADV: 1)Flexibility 2) Transparency ODI currently supports: Appletalk-- Macitosh TCP/IP-- Sun, Unix IPX-- DOS, Windows, OS/2 The ODI Environment: Physical Layer -- MLID (Multi-Link Interface Driver): NE2000.COM Link Support layer-- LSL.COM. LSL routes packets from MLID (NE2000.com) to the upper ODI layers. LSL identifies the type of packet and passes the packet to the appropriate protocol stacks. The protocol stacks are the different protocols (IPX, TCP/IP, OSI, Appletalk) and reside in IPXODI.COM or TCPIP.EXE Observe the following order for loading STARTNET.BAT LSL.COM NE2000.COM IPXODI.COM

NETX.EXE or VLM.EXE (VLM is the Netware Requester) Unload in reverse order. NETX/U or VLM/U (VLM is the Netware Requester) IPXODI/U NE2000/U LSL/U Advantages of ODI over IPX ODI-- supports LANalyzer for Windows ODI-- Improved memory mgt. ODI-- easier to configure. No regeneration is necessary with WSGEN ODI-- allows each client to have up to 4 NIC's ODI-- supports multiple protocols on single NIC over one cable.

NET.CFG
NET.CFG provides operating parameters for ODI and for the DOS REQUESTER. NET.CFG need only be created if you deviate from the established defaults of ODI and DOS REQUESTER. Example: IPX RETRY COUNT = 50 SPX ABORT TIMEOUT = 1000 LINK DRIVER NE2000 INT 11 PORT 340 FRAME ETHERNET_802.3 NETWARE FRAME REQUESTER FIRST NETWORK DRIVE = Q SHOW DOTS = ON FILE HANDLERS = 60 CACHE BUFFERS = 20 MAXTASKS = 50 LONG MACHINE TYPE = COMPAQ PREFERRED SERVER = B06000 CONNECTIONS = 14 LOAD CONN TABLELOW = ON VLM VLM DOS REQUESTER also called the Netware requester. It lets DOS communicate with Netware (connection point between the client's DOS and Netware). Consists of the module VLM.EXE which replaces NETX.EXE in V. 3.12 and V. 4.1 NOTE: VLM.EXE must be loaded after IPXODI Advantages of DOS REQUESTER over NETX 1)Large packet sizes 2)Enables transmission of multipacket messages across the internetwork. 3) Enables VLM modules which are only necessary for your network. It could reduce memory requirement for client. 4) Supports Netware Directory Services in V. 4.1 Connect Client to Server: C:\ CD C:\NWCLIENT LSL NE2000 IPXODI VLM

Then you get F:> user may then login F:>login my_server/supervisor

SUMMARY OF NETWARE COMMANDS:

CNE Study Guide by James Clark. Novell & Sybex Press.

CONCEPTS AND IMPLEMENTATION OF SECURITY Netware has four basic attributes which deal with security: 1. login password security 2. login restrictions 3. access rights 4. file attributes Login and password security governs the initial access to the file server. User must have a valid login and password. Login restrictions provide a secondary level of login security by filtering out users according to variety of security conditions: such as account restrictions, time restrictions, station restrictions, intruder detection lockout and NCP packet signature. Access rights define a set of privileges which are assigned to users or to directories. IRM's (Inherent Right's Mask) and effective rights are within this topic and will be discussed later. File attributes are for individual files which limit privileges for reading, writing, executing, hiding, etc. NETWARE BINDERY Netware security model is implemented through a flat file database called the Netware bindery. The bindery is an objected oriented database that contains definitions for users, groups and other objects on the network. Netware uses the bindery to organize the user structure and define Netware security. The three basic components of Netware bindery are objects, properties and values. An object merely defines any LAN component with a name such as a file server users, groups, print servers. Netware bindery tracks these objects and defines a variety of their characteristics known as properties. The bindery values are actual data sets that correspond to object properties. Netware bindery objects, properties and values are tracked through three hidden files called NET$OBJ.SYS for objects, NET$PROP.SYS for properties and NET$VAL.SYS for values. On Netware 2.2 the bindery exists as two hidden files, NET$BIN.SYS and NET$BVAL.SYS. All of these files are hidden files in directory SYS:SYSTEM and are owned by the system.

SECURITY CLASSES Supervisor: When Netware is first installed there are two users that are created by default. One is SUPERVISOR. It has no password initially and has all rights and privileges. A second account is created, GUEST, who is severely restricted. As an example of bindery objects, we see that upon installation the systems creates the bindery objects, supervisor and guest. Supervisor equivalent: Any regular user on the network may be made a supervisor equivalent with all the rights and privileges of the supervisor. The basic difference between the supervisor and the supervisor equivalent is that the supervisor equivalent may be created and deleted. The Supervisor cannot be deleted. NOTE: One important use of the supervisor equivalent comes from past experience with certain viruses that will search the system for the key name supervisor and destroy or lock the supervisor. Thus the supervisor equivalent, which can exist as any named user, may be used to continue operations. Managers: There are two type of managers: Workgroup Managers have special rights to create and manage users for specific groups. Workgoup managers can create users, delete users but workgroup manager is restricted to deleting only accounts for the users that they have created, or for the users that are directly under their work group. Account Managers provide the facility for managing and deleting accounts within a group but not creating them. Operators: Operators oversees specific network functions. The supervisor or supervisors equivalent can only assign users to be operators. Examples of operators are Print Queue Operator who manages a print queue and thus has privileges with PCONSOLE, the print console utility. Another example of an operator may be a File Server Operator who manages a file server and thus has privileges with FCONSOLE. LOGIN PASSWORD SECURITY The login password security consists of user names and passwords. A user name can be from two to forty-seven characters in lengths. User names can be assigned using the SYSCON menu utility or the command line utility MAKEUSER or USERDEF. When the user logins to the network by specifying a user file server name and a user name, the system verifies the user name by matching it against an object in the file NET$OBJ.SYS The password is then prompted even if the object does not exit. This of course is done to deceive people trying to break in to the system. If the user name is valid the system searches NET$PROP.SYS for account restrictions. Here it can tell what login properties exist for this account, including if a password exists. If a password does exists, the system will respond with PASSWORD: If a password does not exist, the system will continue to the next step. Finally, Netware uses NET$VAL.SYS to get values of login restrictions such as password, time restrictions and server restrictions, etc. If the password is not valid or if other restriction exist, it will respond with access denied. An intruder detection lock out mechanism is also working. This will automatically lock an account when the number of attempts to login exceeds a threshold account. This user account can only be unlocked by the Netware supervisor or supervisor equivalent. **NCP packet signature is another means of security that is designed to protect the LAN user from hackers who forge data packets and pose as unauthorized clients. When a workstation client logs in to a server, the server and the client establish a shared key referred to as a session key. This is a unique key for each client logged into the server. When the client requests services from the server, the client appends this unique signature to the data packet. The server validates this unique signature soon as the server receives the packet. If the signature is correct, then the server proceeds. The server processes the request and attaches a new signature to the reply. If the client signature is

incorrect, that packet is discarded and an alert message is sent to the server. There are certain options that the supervisor can create related to packet signature using command SET at the server or in NET.CFG in the client. At the server: MY_SERVER:<<SET NCP PACKET SIGNATURE OPTION = n>> In NET.CFG on the client, add: SIGNATURE LEVEL = n SERVER Sign if client is capable 2 (default) No sign Yes Yes Yes

CLIENT

Does not sign Sign if client requests Sign if client is capable Always Signs

0 1 2(default) 3

Does not sign 0 No sign No sign No sign No login

Sign if client requests 1 No sign No sign Yes Yes

Always Signs 3 No login Yes Yes Max protection

ACCESS RIGHTS Access rights can be granted to directories as well as users. These rights allow privileges to read from a file, write to a file, to copy a file, to change the names of the file, to access applications to erase files and create directories, etc. There are eight access privileges and we specify these privileges in a variety of commands: W indicates write an existing file R indicates read an existing file M indicates modify file names and attributes F indicates file scan, the ability to search a directory or sub directory for a file A indicates access control to determine access rights. C indicates the ability to create and write new files or sub directories E indicates the ability to delete an existing file or sub directory S is supervisory to give all rights within a directory and all sub-directories. Example of rights needed for usual operations: Read an existing file R Execute an .exe file RF Create & write a file C Make new dir C Delete a file E Change attributes M Rename a file M Write to an existing file WCEM Copy file to a dir WCF Copy file from dir RF Modify disk space A Change dir rights A Change trustee assignments A Salvage a deleted file RFC TRUSTEE ASSIGNMENTS

Trustee assignments are access right keys that are assigned to users and groups. When a user is given a rights assignment to a directory, that user is called a "trustee" of that directory. When access rights are granted to a trustee, the privilege is inherited by all subdirectories. Netware differentiates among 3 types of rights: Inherited rights-- those inherited Explicit rights -- those explicitly granted Effective rights -- those calculated via the IRM IRM (the Inherent Rights Mask): The IRM is basically a filter. Each directory has an IRM that allow rights to flow through to sub directories. The System Administrator can change this IRM to allow only certain rights to flow down to certain subsequent sub-directories. The IRM may be changed by using the ALLOW command or by the FILER menu utility. The IRM affects only the rights that flow down from the directory above. If you are granted rights specifically by the GRANT command, or by FILER or SYSCON, then the IRM has no effect on these granted rights for that directory. But they do have an effect on the rights that flow down to sub directories. For example: Say there is a directory called TEST and the rights granted for TEST are RWEF. TEST has a sub directory called SCORE. The IRM for SCORE are RWCM. SCORE has a sub directory called NETWORKING. TEST SCORE (RWEF) (IRM=RWCM)

NETWORKING (RW) Effective rights The effective rights for the sub-directory NETWORKING are only RW because the rights granted to the top directory TEST (RWEF) are filtered out through the SCORE sub-directory, which IRM = (RWCM). Only RW are allowed to filter through. Thus the effective rights for NETWORKING are RW. (See p. 800 CH 16 of Networking Technologies.) NOTE: The Supervisory right (S) cannot be blocked by the IRM and it is immune to any effect from the IRM. In addition, the supervisor privilege S cannot be revoked from a sub-directory below the parent directory where it is expressively granted. (See pg. 222 of the Novel CNE Study Guide). Rights Commands: 1.The assignments of these access privileges can be granted in two ways: using SYSCON or by the GRANT command. The GRANT command is used from the DOS prompt which form is: GRANT <rightslist> for <path> to <user or group> For example: GRANT r f for O: to Smith. This grants the privilege of R to read existing files F to scan to search for a directory to the logical directory O: to the user Smith. 2.In order to see what rights you have to a particular logical drive or a directory use the command RIGHTS. RIGHTS <path name> It will list out the effective rights for the user issuing the command. 3.The TLIST command displays the users who have been given explicit rights for a specific directory that will list the specific rights plus the actual rights. 4.The REVOKE command is the opposite of a grant command.

REVOKE <rightslist> for <path> from <user or group name>. Example: REVOKE C E N A for O: from Smith. This revokes the privilege of creating a new file or sub directory (C); for erasing existing files (E); for modifying a file name and attributes (M); for access control (A) for the logical drive O: from Smith. 5.To remove a user from having any privileges at all for a particular path or directory use the REMOVE command. Example: REMOVE Smith from O: In this example Smith is removed from the O: directory. drive.) (Note that O: is a directory name and not a logical disk

FILE ACCESS RIGHTS: There are additional access writes for files: NS (Non Sharable) S (Sharable) RW (Read Write) O (read Only) X (eXecute only) H (Hidden file) D (allowing Deletion) DI (Delete Inhibit) R (allowing Rename) RI (Rename Inhibit) C (allowing Copy) CI (Copy Inhibit) -- The access is limited to one user at a time. -- the files are available for simultaneously access. -- the user may read the file and write the file, alter its contents. -- the user may only read the file and not write to it. -- the user can not copy or delete the file. -- users cannot see, use, delete or copy over the file. -- the user can not delete the file or the directory -- the user can not rename the file or the directory -- the file can not be copied

SPECIAL ATTRIBUTES There are other special attributes which provide access to special Netware functions or features including backup, indexing, and transactional tracking. -- activate TTS. Files marked with T can be tracked using the transaction tracking system (the TTS system) . TTS is a method the file server uses to track the integrity of certain files during updates. All files that need to be tracked while being modified must have this attribute. This is basically used in database (transaction processing all of nothing) applications. During the alteration of a database, a backup of the old file is kept while the database is being altered. When the database has finished being altered, the system then indicates a completed transaction. If during a database alteration, something happens the machine goes down, then that transaction is incomplete and the old copy of the database file remains the current copy. I -- identifies a file for an AFT indexing SY -- identifies a system file. These files can not be deleted or copied. P-- indicates purge when deleted. This insures that after a directory is deleted any files in that directory can not be restored. Basically the P flag means that when a file is deleted, it is also purged and cannot be restored. A -- indicates not yet archived, or the file has been altered since the last backup. This attribute also is assigned to files that have been copied into another directory. RA -- indicates read audit-- no function WA -- indicates write audit-- no function T

COMMAND LINE UTILITIES ( CLU'S ):

Most of the login passwords security access write tools can be found in SYSCON. The utility FILER implements directory and file attribute tools. These two are menu utilities. However, that are a number of commands called COMMAND LINE UTILITIES (CLU) and allow the user to perform functions using in-line commands: SETPASS allows the user to set his own password ATTACH permits a user in a supervisor access to other file servers. The main difference between logging in and using ATTACH, is the execution of a login script. If you login to a server, it executes a login script. ATTACHing to a server performs exactly the same function except a server does not execute the login script. The ATTACH command will ask for the user name and password. USE: ATTACH SERVER USERNAME SLIST enables the user to view a list of all the available servers to which the user is currently attached. SLIST does not tell you whether you have a valid login account on any of the servers, it simply gives you a list of all servers that are physically recognized by your network and configuration. USERLIST displays login information about those users that are currently logged in to the system. WHOAMI displays information about who you are, your user name and the file server that you are currently attached to. The following commands are related to the IRM (the Inherence Right Mask): RIGHTS is similar to Tlist but it does not display all the trustees of that directory it only displays your trustee rights and effective rights for a particular directory. LISTDIR provides more information about directory rights that the rights command. Listdir displays the effective and directory rights and all information pertaining to a directory including sub directories. FLAG enables supervisors and users to modify access rights. NCOPY is extremely important because maintains the file attributes. This may or may not be the case when DOS Xcopy is used. Otherwise Ncopy works the exact same way as the DOS xcopy. COMMON NETWARE UTILITIES: Basically we are going to discuss some of the COMMON and MOST widely used Netware utilities. The purpose here is not to go into much detail, but rather to introduce these utilities and tell of their general use. The reader is encouraged to run these utilities for further experience. SYSCON Syscon is to the basic utility for managing the system. You can use SYSCON to configure users, make user restrictions, account restrictions, login restrictions, implement accounting, group information, etc. When the SYSCON screen comes up, you will see the basic topics: ACCOUNTING The accounting option allows the system manager to install various accounting software in which this system can account and charge for disk usage, CPU connect time and so forth. CHANGE CURRENT SERVER Change current server, basically allows the user that is running SYSCON to access SYSCON on another server. This is used for the system manager who has to manage variety of servers.

FILE SERVER INFORMATION File Server information basically displays Relevant details about the current server, that the administrator is on. Details include the server name Netware version, operating system revision serial number, number of connections supported. GROUP INFORMATION Group information allows groups to be created, etc. SUPERVISOR OPTIONS Supervisor options allow the manager to allocate to assign supervisory status to various users and various groups. Supervisor options is where system managers spend most of their time using with administrator functions. Important functions in this menu include access to system login scripts, which is executed by all users that are logging in, time restrictions and other functions such as intruder detection lockout activation. USER INFORMATION Here is where the supervisor may create user names, passwords, and other user information dealing with login scripts, security, time restrictions, and volume disk restrictions. There are eight command line utilities (CLU) that are associated with similar functions. ATTACH GRANT REMOVE REVOKE RIGHTS SETPASS SLIST TLIST

FILER FILER is designed to control volume, directory, file and subdirectory information. FILER provides exceptional functionality by allowing you to rename directories, delete entire branches of trees, change file security. Features are similar to some DOS utilities, and Norton utilities. The available topics in FILER are: CURRENT DIRECTORY INFORMATION This is useful when you need to move back and forth between current and other directory. The current directory information option provides details about the current default directory such as creation time, the date and time, the directory attributes, and other security information. This is extremely valuable option because it is security related. You can access list of directory and file attributes, the IRM, the trustee, and the trustee assignments, This is the only menu utility that provides the calculated effective rights because it incorporates the IRM. DIRECTORY CONTENTS This option list all the files and directories that are beneath the default directory. SET FILER OPTIONS Allows default options to be set. Examples of these options are; confirm file deletion, confirm file copy VOLUME INFORMATION Volume information includes the name of the file sever, the volume name, the type of the volume, total size, the number of bytes available, and information about directory entries. The associated CLU's that are incorporated with FILER FLAG FLAGDIR LISTDIR NCOPY NDIR RENDIR

XCOPY SESSION SYSCON and FILER satisfies about 95% of the systems manager utility needs. There is an additional utility called SESSION that provides an abbreviated list of user functions, drive mappings, user list and so on. The SESSION utility provides for a single central point for accessing user specified configurations and features. The SESSION menu controls file servers, default drive mappings, search drive mappings, messages and list of users and groups. The CLU's associated with session are: MAP SEND USERLIST WHOAMI

SUPERVISORY UTILITIES:
These important supervisory utilities are stored away from public use in the SYS:SYSTEM directory. 1.BINDFIX is a supervisor utility that permits corruption recovery and restoration of the Netware bindery. The Netware bindery for Netware 3.1X consists of three files. NET$OBJ.SYS NET$PROP.SYS and NET$VAL.SYS. The Netware bindery keeps track of user groups, file servers, print servers, routers and anything else that has a name. It stores rights, privileges, connections, configurations and many other things. BINDFIX runs consistency checks on the bindery and tracks relationship among objects, properties and values. If an inconsistency exists, BINDFIX will more than likely correct and de-corrupt the bindery. The system manager can run BINDFIX from the directory SYS:SYSTEM and it should be run in any of the following situations. 1. 2. 3. 4. The user name can not be deleted or modified. The users rights or passwords can not be changed. The error "Unknown server" occurs when a file is printing The bindery error message occurs at the server console The TTS$LOG.ERR text file shows evidence of TTS shutdown.

BINDFIX has other capabilities including deleting rights and trustees for users whose accounts no longer exits and deleting mail sub directories for users whose accounts no longer exits. When running BINDFIX, backup files of the original bindery, named NET$OBJ.OLD, NET$PROP.OLD and NET$VAL.OLD are created. These ".old" files are simple binary files that can be copied to a floppy disk. It is recommend that BINDFIX that be run on newly generated network so that the new pristine bindery files can be saved as ".old" files just in case later correction occurs and BINDFIX cannot correct the problem. BINDREST is a related utility that restores the ".old" files from a BINDFIX session. BINDREST can also restore old copies of binderies that were backed up from earlier bindery sessions. On an active network, it is recommend that BINDFIX and BINDREST be run routinely once a month. 2.DOSGEN is a utility that creates a remote boot image file that can be used by disk-less workstation. A disk-less workstation is a workstation that has a programmable READ ONLY MEMORY PROM located on the network interface card. The boot PROM redirects the user into the network at the F:\login directory. When this happens, the boot image downloaded to the work station random access memory and then the workstation's AUTOEXEC.BAT, CONFIG.SYS, and COMMAND.COM files are executed from there. The creation of this boot image is performed using DOSGEN. Diskless workstations have the advantage of protecting against theft from the network and keeping viruses off of shared disk. 3.PAUDIT is another accounting utility that provides more detailed information about login's, logout's and user resources and user use of network resources. PAUDIT creates a large accounting file that may imported into a database package. It also provides information with respect to security violations and intruder detection lockout.

4.SECURITY is a supervisor utility that looks for various aspects of weakness in security. It can identify passwords that are fewer than five characters; users who have security equivalence to supervisors; users who have been assigned as workgroup managers; users who are not required to enter a password; and users who have no full name assigned. 5.WSUPDATE is a supervisor utility that can update workstations shells and configurations files from one central location. WSUPDATE compares time and date of all destination of workstation configuration files with a central source file and copies or replaces existing workstations shells ( such as VLM.EXE) with a newer version. 6.ASSOCIATED CLU'S Also located in SYS:SYSTEM are associated supervisory utilities: 7.DSPACE This provides for the same utility as located in SYSCON. It enables system managers to limit user space within directories. 8.MAKEUSER This enables system managers to design scripts that create or delete multiple user accounts. 9.PCONSOLE This is the principle utility in creating in print queues. This is the main printer utility and allows the manager to configure print servers and print queues. 10.PRINTCON This allows for print job configuration, and to customized print job parameters such as the number of copies, tab size, banners, form names, default print queues. The printed have options concerning print devices and printing forms. 11.PRINTDEF This allows for printer definitions that include escape sequences for different printers, fonts, length and width or forms. 12.SALVAGE This utility is used to recover purge files that have been erased from the network. 13.USERDEF This provides for the same functionality as MAKEUSER. The difference between the two is that MAKEUSER uses a script format and permits the supervisor to create and delete user accounts. USERDEF uses a template format that only allows the supervisor to create users.

FILE SERVER CONSOLE COMMANDS

Consoles commands at the network server screen provides for a number of useful utilities: 1.SCREEN-- Provides the supervisor with the ability to broadcast or send messages, clear the screen, or exit from the file server console or track attach workstations and open various files. This command affects only what is on the screen. 2.BROADCAST-- This a console command used to broadcast messages of forty characters or less to all users logged in. 3.SEND-- This command can broadcast a message to all users who are logged in or to a list of specified users. SEND message to USERS OR connection numbers 4.EXIT-- Exit after DOWNING the server. 5.CLS-- This clears the screen.

INSTALLATION TOOLS:
1.LOAD-- This is used to execute NLM's (Netware Loadable Modules). 2.UNLOAD-- Unload NLM's.

3.BIND-- Links LAN drivers to specific protocols for the current server. Example: BIND IPX TO LAN driver 4.MOUNT-- This activates file server volumes.

MAINTENANCE TOOLS:
1.CLEAR STATION-- This enables the system manager from the file server to clear a workstation connection and thus removes all file server resources from a given workstation. 2.DISABLE/ENABLE LOGIN-- This will disable or enable workstation logins. 3.DISABLE/ENABLE TRANSACTIONS (TTS)-- This will disable or enable the Transaction Tracking System. 4.DOWN-- this will take down the file server and closes all opened files. 5.RESET ROUTER-- This resets the file server router table if corrupted. The router table is used by the file server to recognize other servers and other network facilities. 6.REMOVE DOS-- This removes the DOS COMMAND.COM on the file server. 7.SET TIME-- This sets the time. 8.SET TIME ZONE-- This sets the time zone. 9.TIME-- This displays the time. 10.CONFIG-- This displays the servers operating system's hardware and internal components. 11.DISPLAY SERVERS-- This will display all servers recognized on the network. 12.DISPLAY NETWORK-- This will display data about the network. 13.NAME-- This displays the name of the file server. 14.VOLUMES-- This list all volumes on the server's disk.

NETWARE LOADABLE MODULES (NLM'S)

The NLM's that are run on the server are: INSTALL.NLM -- which is used to install a Netware system. MONITOR.NLM-- which aids in monitoring the system. It gives such data as file connections, memory and disk information, user activities, processor usage, etc. VREPAIR.NML-- which corrects problems with Netware volumes. It should be used if: 1) a hardware failure causes a disk read error; 2) a hardware error prevents a volume from being mounted; 3) a power failure corrupts a volume; 4) the server console displays "mirror mismatched errors" when booting; 5) the server console displays "memory errors" when loading a Name Space. To activate VREPAIR, you must first dismount the volume and then LOAD VREPAIR. UPS.NLM-- allows support for un-interruptable power supplies. This monitoring will determine when the uninterruptable power supply is low on batteries and will instigate an automatic UPS shut down.