Using Local Security with a Share-Mode Security Server (58695)



The information in this article applies to:

  • Microsoft LAN Manager 2.0
  • Microsoft LAN Manager 2.1
  • Microsoft LAN Manager 2.1a
  • Microsoft LAN Manager 2.2

This article was previously published under Q58695

SUMMARY

This article explains how local security operates with a server in share-mode or user-mode security. It applies to OS/2 LAN Manager versions 2.0, 2.1, 2.1a, and 2.2 running under OS/2 version 1.2 or 1.3.

MORE INFORMATION

When running local security on a server, you can choose either share-mode or user-mode security. The information included below applies whichever you choose.

If you select local security while installing OS/2 LAN Manager, the install program modifies the "PROTSHELL=" and "IFS=...HPFS.IFS..." lines in the CONFIG.SYS file.

When the machine boots up, during CONFIG.SYS processing of the "PROTSHELL=" line and the "IFS=...HPFS386.IFS..." lines, the OS/2 LAN Manager user account subsystem (UAS) becomes activated, and its local security functions initialize.

NOTE: The "IFS=...HPFS386..." line in CONFIG.SYS has an /i: parameter that is not present when HPFS.IFS, as shipped in OS/2 1.2, is running. This parameter is not legal for the HPFS.IFS shipped in OS/2 1.2: it is a required parameter for use with the HPFS386.IFS shipped with OS/2 LAN Manager. It allows the UAS to find the NET.ACC file by pointing to the correct root directory for OS/2 LAN Manager. (NET.ACC normally is in C:\LANMAN\ACCOUNTS, but OS/2 LAN Manager may installed in another subdirectory.)

After the CONFIG.SYS file has been processed, local security has become active, and the UAS is running, the UAS finds and opens NET.ACC.

At this point, no NET LOGON commands have been issued, so local security allows no one to access the keyboard or mouse to delete, change, or rename any files protected by the UAS. The UAS protects CONFIG.SYS, STARTUP.CMD, all files in the C:\LANMAN and C:\OS2 subdirectories, and sometimes others.

Only after a NET LOGON command has been issued (providing an account name and password with appropriate privileges) can files protected by the UAS be modified or deleted.

As mentioned above, all of this discussion applies regardless of whether the machine is in user-mode or share-mode security. Either way, there must be a NET.ACC file, and you must log on with the right authorization before you can modify protected files.

Modification Type:MajorLast Reviewed:9/30/2003
Keywords:kbnetwork KB58695