Built-in groups are Advanced Server default groups that have established rights and abilities. Use built-in global and local groups the same way you use global and local groups . The Administrators local group and Domain Admins global groups serve as examples.

Membership in an Administrators local group is what makes an account an administrator in an Advanced Server domain. However, when you create an account on an Advanced Server domain, you have two alternate ways of making that account an administrator account: You can place it directly into the Administrators local group, or you can put it in the Domain Admins global group, which is a member of the Administrators local group.

You should always use the second method, putting the account in the Domain Admins global group. In this way, you have a global group that represents all administrators in the domain. This global group can then be put in the Administrators local group of any other domain or Windows NT workstation computer that this domain's administrators need to administer. (When you set up a Windows NT workstation computer to participate in a domain, that domain's Domain Admins global group is added automatically to the workstation's Administrators local group. This allows the domain administrators to manage the workstations in the domain.)

Every domain also has a Domain Users global group. All the user accounts you create in the domain are placed in this group by default; you do not have to remember to add accounts to this group. A Domain Users global group is automatically a member of the Users local group in the same domain and is also a member of the Users local group on all Windows NT workstation computers participating in the domain.

Every domain also has a Domain Guests global group, which is a member of the domain's Guests local group. The Domain Guests global group initially contains the Guest user account.

Domain Admins, Domain Users, and Domain Guests are the only built-in global groups that correspond to built-in local groups. You can create other global groups that correspond to local groups if you want to use the same strategies for the users in the global and local groups.

The way in which you organize the domains on your network is critical. If you set up your domains properly, you can simplify network administration significantly and ensure that users have access to the entire network.

You can manage user security by setting up user accounts, organizing users into groups, and controlling user capabilities. Through user accounts, you can assign user rights and passwords, grant user permissions for network file sharing, and audit users through the security event log. The server's security settings define the rules for changing user account passwords, sharing resources on the server, and handling logons that occur outside specified logon hours.

The Advanced Server accommodates both the Advanced Server user-level security model and the OpenVMS security model. This chapter describes both models and explains security integration considerations. It also includes the following examples that illustrate how Advanced Server network security works within domains:

• Single domain model
• Master domain model
• Multiple master domain model
• Complete trust model

You can use these examples as models as you plan and organize your network. You can follow the examples exactly, modify them, or mix and match them among various parts of your network to create the security configuration you want.

5.1 The Advanced Server Security Model

The Advanced Server employs a user-level security model. User-level security provides precise control over access to shared resources, including disk devices, directories, and printers. Security is based on users and collections of users, or groups. Each user is protected or secured by a password. Advanced Server user-level security takes advantage of the following features:

• User accounts --- A user account consists of a user name, a password, and other attributes that define the user. An account determines when a user can log on, what workstations a user can log on from, and what groups an account belongs to (and therefore what the user's privileges are). Users who need infrequent or temporary access to a resource may be allowed to log on through a guest account.
• Groups --- To simplify administration of user accounts, you can set up a group (or multiple groups) of users and assign access permissions to resources by group. When you change access permissions for a resource, such as group access permissions for a shared printer, you affect all users belonging to the group. You do not have to apply modifications individually to each of the group's members.
  For more information about global and local groups, see Chapter 4, Groups, in this guide.
• User authentication --- Advanced Server uses logon security to allow server or domain access to users with valid accounts.
• Privileges --- Privileges determine what range of actions a user can perform on the network. Advanced Server privileges are assigned based on group membership. For example, a user in the Administrators group can perform administrative functions.
• Access permissions --- Permissions define the extent to which each user can employ a resource. You can assign access permissions to shares, directories, and files. You can tailor access to resources by assigning a set of permissions for each user or for groups of users. You can also use OpenVMS security features to further protect resources. (For more information on OpenVMS security features, see the section, Section 5.2, OpenVMS Security, in this guide.) The interaction of these two security models is described in the Security Integration Considerations section in this guide.

You can use the ADMINISTER commands to define the Advanced Server security settings. Security settings made on a domain's primary domain controller are copied to the domain's backup domain controllers, just as user accounts and groups are.

The Advanced Server security settings are shown in Table 5-1.

Table 5-1 Advanced Server Security Settings

Security Setting	Description	Values
Minimum password length	Specifies the minimum number of characters for a password.	The default value is 6. The range of values is from 1 to 14 characters.
Password uniqueness	Prevents a user from reusing old passwords. The value you enter specifies the number of previously used passwords that are forbidden. For example, if you set a value of 3, users are prevented from reusing any of their last three passwords.	The default value is 0. The range of values is from 1 to 8 passwords.
Minimum password age	Specifies the minimum number of days that must elapse between password changes by a user. This restriction does not apply to administrators, who can change the password of a user at any time. Users must log on to change their passwords.	The default is 1. The range of values is from 1 to 999 days.
Maximum password age	Specifies the maximum number of days that a user is allowed to use the same password without changing it.	The default is 90 days. The range of values is from 1 to 999 days or never.
Force disconnect	Determines what happens if users have a connection to a server when their logon hours or accounts expire. You can specify that the server will terminate the session immediately or never.	The default is never. The values are immediately or never.
Lockout accounts	Specifies the number of failed logon attempts users are allowed before their accounts are disabled. A failed logon attempt occurs when the user supplies an incorrect password when logging on.	The default is never. The range of values is from 1 to 999 invalid attempts or never.

In a domain or network with only one server, you do not need to set up a domain-wide user accounts database for use by different servers. You maintain security in a single-server domain by setting up the server as the primary domain controller, taking advantage of the full range of Advanced Server features and preparing the server for possible future expansion of the network.

5.2 OpenVMS Security

The Advanced Server provides support for security features of the OpenVMS operating system. The degree to which these features are integrated with Advanced Server security varies, as discussed in the section Section 5.5, Security Integration Considerations in this guide.

An OpenVMS account identifies a user to the OpenVMS operating system. An account includes the user's name, a password, privileges, and access to directories and files associated with the account. (See Chapter 3, User Accounts, for more information.)

The OpenVMS operating system provides the following methods of assigning protection to files and directories:

• RMS protection
• Access control lists (ACLs)

The Record Management Service (RMS) sets protection on files and directories based on user identification codes (UICs). A UIC consists of a group code and a user code assigned to every user by the system administrator. For example, UIC [320, 450] represents user number 450 in group 320. A UIC determines which of the following categories a user belongs to:

• System (S) includes users with system privileges (the OpenVMS privilege SYSPRV) or users with designated low group numbers in their UICs as specified by the system manager.
• Owner (O) includes only the owner of a file or directory. The user code of the UIC associated with the file or directory matches the user code of a user's UIC.
• Group (G) includes all users who have the same group code in their UICs.
• World (W) includes all users regardless of UIC.

RMS assigns file protections for each of these categories according to the following format:

• R for read access
• W for write access
• E for execute access
• D for delete access

The default protection is:

(System:RWED, Owner:RWED, Group:, World:)

This default RMS protection allows read, write, execute, and delete access to the system administrator and to the owner of the file; group and world UICs have no access to the file.

5.2.2 Access Control Lists

An access control entry (ACE) is an entry in an access control list (ACL) that controls access to files and directories by resource identifiers. ACLs give you more control than RMS protections. For example, with RMS, the only way to grant read access to users in different UIC groups is to grant world read access. In contrast, with ACLs, you can provide users from several UIC groups access to a file or directory without granting world access, and you can deny specific users access to specific files.

If you use both RMS protection and ACLs, OpenVMS checks ACEs in the ACLs before it checks the RMS protection.

For more information about RMS protection and ACLs, see the OpenVMS documentation set.

5.3 Additional Resource Protection

You can take advantage of several other methods of protecting servers and network resources, as follows:

• Use logon security --- In a domain where at least one server is running user-level security, the Advanced Server can validate user requests to log on to the network and access network resources through the logon security features implemented through the Netlogon service.
  Logon security authenticates users through the following controls:
  • Maintains a domain-wide user accounts database. You can create and, when necessary, make changes to the user accounts database for the entire domain from a single server.
  • Uses logon validation to control network access through individual user passwords.
• Use hidden servers --- Hidden servers are servers you hide to protect them from unauthorized use. When users view the list of servers in the domain, hidden servers do not appear in the list. Users can still access a hidden server and its resources if they know the server's name, but they cannot use the Advanced Server to find out that the server exists. By default, a server is not hidden.
  You can hide a server by setting the SrvHidden server configuration parameter.
• Enable account lockout --- You can enable account lockout after a specified number of failed logon attempts occurs. This protects your network from unauthorized users who attempt to break into the network by using password generation schemes. Once an account is locked out, it is disabled until an administrator reenables it. Lockout information is copied to all the servers in a domain.
• Use Advanced Server external authentication --- This optional feature lets Advanced Server users log in to the OpenVMS operating system with the Advanced Server user name and password. With external authentication, you can avoid creating and maintaining dual accounts and passwords for users who need to use both OpenVMS and PCs. For more information on enabling external authentication, see your Server Installation and Configuration Guide.

This section describes how the Advanced Server validates a file access request. Whether the Advanced Server grants or denies access depends on two factors:

• The security model in effect on the server
• How a user's Advanced Server account is mapped to an OpenVMS account

All Advanced Server systems implement user-level security. With user-level security, all Advanced Server users have an Advanced Server user account. File access by each account is determined by the Advanced Server permissions set on the file. Furthermore, each Advanced Server account is also mapped to an OpenVMS account. This mapping integrates Advanced Server security with OpenVMS file access security.

Using the Configuration Manager tool, you can specify the level of integration by setting a server configuration parameter that specifies one of the two Advanced Server security models: Advanced Server security only, or Advanced Server and OpenVMS security.

5.4.1 Advanced Server Security Only Model

Advanced Server security only is the default security model for all installations. Therefore, unless you change the defaults, installing Advanced Server software establishes Advanced Server security only, where Advanced Server security is enforced and OpenVMS access checks are bypassed.

The Advanced Server security only model is suitable for environments where the security features provided by the Advanced Server are sufficient, such as on a dedicated server or on a server with no interactive OpenVMS users who are also network users.

5.4.2 Advanced Server and OpenVMS Security Model

In addition to the default security model, Advanced Server security only, you can choose to use the combined Advanced Server and OpenVMS security model, in which both forms of security are enforced. If a user's access request passes the Advanced Server security check, the Advanced Server checks the OpenVMS security in effect (determined by the OpenVMS account to which the Advanced Server account maps) for the user's request. Access is granted if a user passes both security checks. For information on how Advanced Server accounts map to OpenVMS accounts, see Section 3.6, Mapping OpenVMS Users to Advanced Server Users in Chapter 3 of this guide.

5.5 Security Integration Considerations

The level of Advanced Server and OpenVMS security integration that you select can affect how resources are shared among Advanced Server users. If you select the Advanced Server and OpenVMS security model, a resource created by one Advanced Server user may not necessarily be accessible to other Advanced Server users. For example, if Advanced Server security checks allow access, but the user's Advanced Server account maps to an OpenVMS account that is not granted access, the OpenVMS security check will fail and resource access will be denied.

The Advanced Server and OpenVMS security model provides the greatest level of security. If you do not need this level of file access checking, you can use the Advanced Server security only model, in which OpenVMS file access checks are bypassed completely.

If you want the extra security provided by the Advanced Server and OpenVMS security model, ensure that the accounts of the Advanced Server users map to OpenVMS accounts that provide the access privileges that users require.

The remainder of this chapter describes examples you can use as models to set up network security within domains.

5.6 Single Domain Model

If your network does not have many users and does not need to be segmented for organizational reasons, you can use the simplest domain model, the single domain model. When you use the single domain model, trust relationships are not needed because there is only one domain on the network.

Because permission to administer servers is established at the domain level, having a single domain lets network administrators administer all of the network servers.

Table 5-2 summarizes the advantages and disadvantages of using a single domain model.

Table 5-2 Advantages and Disadvantages of the Single Domain Model

Advantages	Disadvantages
Best model for companies with few users and resources.	Poor performance results if the domain has many users and groups.
Centralized management of user accounts.	No grouping of users by department into separate domains.
No management of trust relationships necessary.	No grouping of resources by function into separate domains.
Local groups need to be defined only once.	Browsing is slow if the domain has many servers.

5.6.1 Single Domain Model: Example of Domain Configuration

Figure 5-1 Single Domain Model

A network can use the single domain model if it has a small enough number of users and groups to ensure good performance. The exact number of users and groups depends on the number of servers in the domain and the server hardware.

If your network has many servers sharing resources or your organization has many departments, the single domain model may not be the best. With multiple domains, a user browsing the network first browses among domains, then chooses a domain and views the resources it contains. If your network has many shared resources, segmenting it into domains may make browsing easier. Performance degrades when users browse a single domain with many servers.

5.6.2 Single Domain Model: Example of Network Security Configuration

A small college with a central MIS department contains one Windows NT Server and several Advanced Server computers that are used by departmental offices.

All user accounts and groups belong to the same domain, so access to resources is limited by permissions, and capabilities are restricted by group.

From any Advanced Server, local or remote, or from the Windows NT Server, the MIS department can monitor and manage the domain, the other servers, and the network resources (directories, files, printers, and so on) available throughout the domain.

Departments can manage the Windows NT Server from their Advanced Server systems, as well as manage, share, and monitor access to resources on their departmental computers. This simplifies user account and local resource management because they are handled at departmental levels.

Trust relationships are not required in this single domain configuration. The MIS department includes at least one user from each department in the Administrator's local group. The MIS users are included in the Domain Admins group to perform domain-wide procedures like software upgrades, backing up the servers, and providing troubleshooting assistance to departmental users.

Departmental administrators can add new user accounts and include new users in local groups specific to the department or to types of users. MIS users define new groups across the domain or include users in built-in groups. For these tasks, departmental and MIS users can use the Advanced Server ADMINISTER commands, which provide the ability to display, modify, and delete user accounts and groups. They can also use Windows NT Server administration tools.

5.7 Master Domain Model

The master domain model is a good choice for organizations in which the network needs to be arranged into domains for departmental reasons, but the number of users and groups is small. This model offers both centralized administration and the organizational benefits of multiple domains.

With this model, there is one domain --- the master domain --- in which all the users and global groups are created. All other domains on the network trust this domain and, therefore, can utilize its users and global groups. If your organization has a department that manages your LAN, it would be appropriate to have this department administer the master domain.

View the master domain as an account domain; its main purpose is to manage the network's user accounts. The other domains on the network are resource domains; they do not store or manage user accounts but provide resources such as shared files and printers to the network.

With the master domain model, only the primary and backup domain controllers in the master domain have copies of the network's user accounts. Be sure to have at least one backup domain controller in a master domain. In the event that the primary domain controller fails, the backup domain controller can take over and the network keeps running.

Table 5-3 summarizes the advantages and disadvantages of using a master domain model.

Table 5-3 Advantages and Disadvantages of the Master Domain Model

Advantages	Disadvantages
Best choice for companies that have few users and must share resources among groups.	Poor performance results if the domain has many users and groups.
User accounts can be managed centrally.	Local groups must be defined in every domain in which they will be used.
Resources are grouped logically.
Department domains can have their own administrators, who manage the resources in the department.
Global groups need to be defined only once (in the master domain).