LANSYS@UBVMS.BITNET (01/13/90)
Hello, we were told when we first began installing novell networks
to set up the rights for SYS: as ROS and add additional rights
where necessary for certain applications who require Create
,delete, etc rights.
Well, even though we have a fairly secure menuing system (SABER)
we know that people can escape to the network prompt in several
applications. What we did not know till recently, is that if they
can escape to the network prompt and CD around into various
applications they can copy the software off the server to their
local drives.
Are we missing something very obvious here, this seems like a low
level of security. We do not like to hide all the files, since it
is a real hassel to do administration.
Any solutions, addons, experiences will be appreciated.
LAN Systems S.U.N.Y at Buffalo
LANSYS@UBVMSMONAT@UOTTAWA.BITNET (Paul Monat) (01/13/90)
>Hello, we were told when we first began installing novell networks > to set up the rights for SYS: as ROS and add additional rights > where necessary for certain applications who require Create > ,delete, etc rights. > > Well, even though we have a fairly secure menuing system (SABER) > we know that people can escape to the network prompt in several > applications. What we did not know till recently, is that if they > can escape to the network prompt and CD around into various > applications they can copy the software off the server to their > local drives. > > Are we missing something very obvious here, this seems like a low > level of security. We do not like to hide all the files, since it > is a real hassel to do administration. > > Any solutions, addons, experiences will be appreciated. > >LAN Systems S.U.N.Y at Buffalo >LANSYS@UBVMS Consider reading the unreadable Novell manuals on the following subjects: - Flagdir with the attribute Private hides sub-directories to users who do not have Search rights. - Use Trustee Rights with "tightness" - Declare some .COM and .EXE files Execute Only: go into Filer, select a directory with such executable files, hit file information, select the main executable file (WP.EXE for instance) and hit return, select Attributes and then hit Insert; a special Exec-Only attribute appears: it's only available to executable files and will not only copying. What a good function to hide so tightly in the documentation! - Note that Ndir will show you all files (even the hidden ones) and their attributes but it does NOT show hidden directories (just remember where they are!). 'Flagdir *' shows you all directories even the hidden ones but you can't generalize the command to subdirectories such as with Ndir; for example: 'Ndir *.exe sub' lists alphabetically all .exe files in the directories and it's subdirectories. ^v^ Paul M. Monat Tel: 613-564-6895/6500 ^v^ Faculty of Administration Fax: 613-564-6518 ^v^ Canada K1N 6N5 Bit: Monat @ Uottawa
YOUNG@ITHACA.BITNET (01/16/90)
In the FILER utility you can select EXECUTE ONLY as an attribute (this is a Novell-added attribute, not DOS). Once a file is EXECUTE ONLY it can NOT be copi copied to any other drive. Pick the main . .EXE program file (like WP.EXE) and make it execute only to effectively prevent software theft. Two caveats: once a file is execute-only NO ONE (including the supervisor) may move or copy it, it must be deleted and then re-installed. Secondly, not all programs will work with the main EXE file set to execute-only, for example, RBase for DOS Network version bombs - test first.