Using Local Security with a Share-Mode Security Server (58695)
The information in this article applies to:
- Microsoft LAN Manager 2.0
- Microsoft LAN Manager 2.1
- Microsoft LAN Manager 2.1a
- Microsoft LAN Manager 2.2
This article was previously published under Q58695 SUMMARY
This article explains how local security operates with a server in
share-mode or user-mode security. It applies to OS/2 LAN Manager versions
2.0, 2.1, 2.1a, and 2.2 running under OS/2 version 1.2 or 1.3.
MORE INFORMATION
When running local security on a server, you can choose either share-mode
or user-mode security. The information included below applies whichever
you choose.
If you select local security while installing OS/2 LAN Manager, the
install program modifies the "PROTSHELL=" and "IFS=...HPFS.IFS..."
lines in the CONFIG.SYS file.
When the machine boots up, during CONFIG.SYS processing of the
"PROTSHELL=" line and the "IFS=...HPFS386.IFS..." lines, the OS/2 LAN
Manager user account subsystem (UAS) becomes activated, and its local
security functions initialize.
NOTE: The "IFS=...HPFS386..." line in CONFIG.SYS has an /i: parameter
that is not present when HPFS.IFS, as shipped in OS/2 1.2, is running.
This parameter is not legal for the HPFS.IFS shipped in OS/2 1.2: it
is a required parameter for use with the HPFS386.IFS shipped with OS/2 LAN
Manager. It allows the UAS to find the NET.ACC file by pointing to
the correct root directory for OS/2 LAN Manager. (NET.ACC normally is in
C:\LANMAN\ACCOUNTS, but OS/2 LAN Manager may installed in another
subdirectory.)
After the CONFIG.SYS file has been processed, local security has become
active, and the UAS is running, the UAS finds and opens NET.ACC.
At this point, no NET LOGON commands have been issued, so local security
allows no one to access the keyboard or mouse to delete, change, or
rename any files protected by the UAS. The UAS protects CONFIG.SYS,
STARTUP.CMD, all files in the C:\LANMAN and C:\OS2 subdirectories, and
sometimes others.
Only after a NET LOGON command has been issued (providing an account
name and password with appropriate privileges) can files protected
by the UAS be modified or deleted.
As mentioned above, all of this discussion applies regardless of
whether the machine is in user-mode or share-mode security. Either way,
there must be a NET.ACC file, and you must log on with the right
authorization before you can modify protected files.
Modification Type: | Major | Last Reviewed: | 9/30/2003 |
---|
Keywords: | kbnetwork KB58695 |
---|
|