Knowledge Base ID6010
|
|
|
Reflex Disknet Pro: Disknet Administrator Tech Tips
The information in article applies to the following product
- Disknet version 1.82/2.10
The information in article applies to the following operating systems
|
|
|
|
Do you require a roving Disknet Administrator (who may not have NT Administrator rights) to enable the authorisation of floppy disks containing executable code from any point on your NT Network?
Some Disknet users of the Windows NT version have expressed the wish to have a category of user between Disknet Client and Disknet Administrator. This user would have the ability to authorise floppy disks containing executable code from anywhere on the NT Network.
|
|
|
|
|
|
|
This can be achieved quite simply when NTFS has been selected as the preferred filing system;
- Create a new Global User Group using "User Manager for Domains" on the Primary Domain Controller, and add users who are permitted to authorise diskettes with executable code. This new Group could be called "Disknet Authorisation".
- Create a new folder on the Server. Place in this folder CheckNT.exe & CheckNT.DAT. These files will be needed to authorise diskettes that contain executable code.
- To enable users to access this folder over the network, it must first be shared. Access this folder's Properties, and click on the Sharing tab. Enable sharing so that your nominated users can access the folder from any PC on the network. When sharing the folder, the recommended share permissions are:
- Remove the "Everyone" groups permission. By default, this group will have "Full Control" whenever a folder is shared. This needs to be removed for security.
- Add the group "Disknet Authorisation" and give them "Read" access. This will allow them to run the diskette authorisation software without being able to add or remove files from this directory.
- Add the "Administrators" group with the "Full Control" permission so that they can configure and update the CheckNT files.
NB - when assigning a sharename, remember that Windows 3.x and DOS folders are limited to 8 characters or fewer.
- Using the folder's Properties, set the NTFS permissions for this folder to restrict access to the user groups "Disknet Authorisation" and "Administrators". To increase security, the access rights of "Disknet Authorisation" should be set to "Read". The "Administrator" group should have "Full Control" permission to allow them to configure and update the CheckNT files.
NB - although the share permissions and NTFS permissions appear to be the same, the share permissions are necessary in order to allow the folder to be accessible over the network. However, share permission restrictions are only in force when a user has accessed the folder from another PC via the network. Anyone physically sitting at the Server will not be affected by the share permissions and therefore has full access to the folder. Using NTFS permission closes this gap by enforcing restrictions on users even if they are sitting at the Server.
- Log on as an Administrator and configure CheckNT.exe so that it can locate on the Server the virus scanner/s you wish to use when authorising a floppy disk.
A member of the user group "Disknet Authorisation" will now be able to logon from any workstation and authorise floppy disks containing executable code. They will not have full Disknet Administrator rights thus preventing them from re-configuring any of the parameters for this action. Users from other groups will be denied access to the folder Authorisation.
NB. If an NTFS partition is not available, you can create the folder on a FAT partition and share it over the network. However, as noted above, the user restrictions applied by the share permissions are only effective when the user accesses the folder via another PC over the network. If the user is physically sitting at the Server, share permissions are ignored and the user will have full access to the folder/contents.
|
|
| Last Reviewed: 08/04/2003 |
article posted: Tuesday 8th April, 2003
|
