NT Security Setup with Windows for Workgroups

Avoiding complications in the SOHO world

We in the rough-and-tumble small- office/home-office (SOHO) world often lackthe time or expertise to worry about all-encompassing security policies andmeasures such as domain controllers under Windows NT. We just want to set up anew server, maybe password-protect some paths so Maude can't see the payrolldata, and get back to work.

Imagine you get a new NT server to replace some ancient 386 that you'vebeen using as a peer-to-peer "server"--a machine running Windows forWorkgroups (WFW). You want few (preferably no) changes to the workstationsbecause at last count, you had 10 of them.

So, the new NT server will be a bright and shiny new box with a tape drive.You'll just copy all the data over the network, point all the client hard drivemappings at the box instead of the Zarniwoop DT-386, and be done before Babylon5 comes on at 9 p.m.

I'm here to say that combining NT and WFW ain't as easy as all that. If youreally want to keep Maude from the payroll data, you have some security planningto do.

Workgroup Server vs. Domain Controller
When you install NT Server, you have to say how you want to set it up--as asingle server or as a domain controller. If you choose the server option, youcopy all the user files from your old DT-386 to the appropriate directories. Ifyou're really clever, you give your new server the same name as the old one;ditto with the shared directory names. Copy files from your creaky old server.

To understand what's involved with either option, you need to know thatNT's workgroup (and domain) security works best with group accounts. Forexample, users in the Administrator account have full access, the Managers groupcan do everything but change user permissions, and the Accounting group can seethe payroll files. After you set up such groups, you create user logins, andstick them in the groups.

I recommend not letting the users log in to the server; revoke thisprivilege, and declare the server off limits. Set a policy for passwords:Require, for example, that they must be unique and at least five letters long.Establish a lockout time limit, such as no more than four login attempts in 30minutes. This limit will increase the difficulty of guessing passwords. As userstype in a password, a string of 14 asterisks replaces the characters.

So for the single-server approach, you install some user accounts, and setup group names with custom security settings. Oops, better put some printers onthe server, too, so people can share them.

All your work with groups and users occurs with the User Manager in theAdministrative Tools group on your server (or the User Manager for Domains on adomain controller). While you're there, create a user who will have securityequivalent to the Administrator's, in case of emergencies. Before you walk awayfrom the server, enter a screen-saver password so people can't fiddle with it ifyou're gone (use the Display applet in the Control Panel).

Most small-office managers will opt for single server; it's all they'veever needed. And 90% of the time, they're probably right. But people grow intolarger systems, want to use NT's security features, and have multiple groups ofpeople working together. Such situations call for NT's domains, which requireconsiderably more planning than a single-server workgroup.

Annoyingly, whether you set up the computer as a server or a domaincontroller, you can't switch back and forth. When you change a machine fromserver to domain or back, you must reinstall Windows NT Server from scratch. So,if you plan to have domains in the near future, set up the new computer as adomain controller. Otherwise, resign yourself to reinstalling when you add asecond server. (For information about domain controllers, see Ed Tittel and MaryMadden, "PDCs, BDCs, and Availability," page 75 and "Tricks andTraps," page 107.)

Workgroups Install Headaches
WFW and a single-server NT system is neither a pure peer-to-peer system nora domain. But it is a very popular way of setting up a small workgroup thatrequires few changes in the workstations, and beginners to NT already know howto administer it. A harried SOHO administrator whose office just became largeenough to require security will find this setup painful but workable.

You want to password-protect the payroll files from Maude, who's a realgossip, but still let accounting share them. So you set up groups and users andassign passwords. Then you create share paths in File Manager and copy filesfrom your old server to those paths. When you name the share paths, make thenames short and don't use spaces or WFW will return mysterious and uninformativenumeric errors when you try to use the names.

From the File Manager's Security menu (it took me awhile to find it, too),you assign security for share paths. You can allow full or partial access, byindividual or group: You can give the department secretary read-only access andthe accountants change (read/write/delete) access. You can password-protectprinters, but I've never had to.

Then, you're off to a workstation for testing. The chain from server to WFWincludes three names: the directory (e.g., d:payroll) that you're using on theserver; the share name, which the server publishes and the workstation uses(ewbrainpay); and the drive letter through which the workstation accessesfiles (p). Similarity in the names can be confusing, especially if the directoryand the share path are like-named.

Password Secrets
Once you set up the network, users don't need to change any settings--NTreshares the drives at startup. The problems come when users try to change theirpassword (Maude is being nosy about salaries again). Two copies of the passwordlist exist: one at the workstation and one at the NT server. Changing thepassword in WFW won't change it at the server; the passwords don't match, so theuser can't log in at all. Worse, attempting to log in with the new (and to theserver, wrong) password will probably lock the user out because one person mightuse four different share paths--and that's four different logins, so they use upall the attempts.

The surest way to resolve this problem is to make sure the user isn'tlocked out of the server. Delete the workstation password list, log out, and logback in to NT. The password lists have a .pwl extension (e.g.,c:windowsmaude.pwl).

If you're using only WFW, a loophole lets you change both the workstationand server password at once (this trick doesn't work on Windows 95,unfortunately). In the Network Control Panel, Startup options, the Log on toWindows NT or LAN Manager Domain button is for people with domains. If thisbutton is enabled and the user is already logged in, changing the WFW passwordwill also change the user's server password. As a side effect, the workstationwill time out trying to log in to that domain and will display an error messageyou can ignore.

Clearing Security Problems
If WFW or Win95 is on your clients, users sometimes can't see files in acertain share path, are locked out from the server, or can't remember theirpasswords. Here are some troubleshooting notes from the trenches.

If a user can't see files in a share path but could earlier, the securityfor that path is probably corrupt. Make sure no one is using files in that path,unshare it, reshare it, and reestablish the security settings for it.

Or, if Maude and other inquisitive users can see every path that'spublished, whether they have rights or not, remember that even if they can see apath name, they can't necessarily see the files in that path. Maude can seeewbrainpay and even share it, but when she double-clicks it, she'll get anerror message like #3657, which means, "You don't have sufficient rights tosee this directory."

If you change the security parameters for a share path while people arelogged in, you can make it impossible for them to save a file later. (Thissituation creates one of those duh! moments I'm always having.)

The Ugly Truth
WFW isn't a full-featured network client. It has more than a fewshortcomings, such as uninformative error messages and the password system. Likeit or no, WFW is how many people will connect to NT, so you just need to beready for Maude's questions. Creating a 10-page how-to document with lots ofscreen captures will help.