beautypg.com

Hp nas va security in an nt -only environment – HP Surestore NAS User Manual

Page 62

background image

62

HP NAS VA Security in an NT -only Environment

The security schema for NT systems is different from that of UNIX, but there are two similarities:

o

You can set up the security model to allow user authentication at the share level;
alternatively, you use a security domain, in which authentication is handled by a
Primary Domain Controller (PDC) or Backup Domain Controller (BDC).

o

Processes are run with an identity of a user and any groups to which that user
belongs for either that workstation or the domain. Each data object is associated with
meta-data, sometimes called a security descriptor (SD). The security descriptor
contains a list of permissions or denials in the Access Control List (ACL), which
contains an almost limitless number of permutations that can be associated with a
data object.

The HP NAS VA lets you choose between two security models:

o

Share-level security

o

User-level (Domain) security

Additionally, host access is available in the NT environment to control which client machines are
allowed access to the HP NAS VA, regardless of the user. The allowed clients are specified by a
list of IP addresses or hostnames representing those machines. Host access controls access by
machine, not user.

Share-Level Security

With share-level security, the server explicitly asks for permission (password) every time a user
connects to a share on the HP NAS VA. Thus, any user on the network who knows the name of
the HP NAS VA, the name of the resource (or file), and the password has access to the resource.
When you are using share-level security, you can assign shares a read-only password and/or a
read-write password.

User Level (Domain) Security

With user-level security, the client accessing the HP NAS VA passes the credentials of the
logged-on user to the HP NAS VA system transparently. The HP NAS VA in turn queries the
Primary Domain Controller (PDC) or Backup Domain Controller (BDC) to authenticate the user.
Once the user is authenticated, the PDC or BDC returns a Security ID (SID) that the HP NAS VA
uses to check the client's access rights. This token is then used with all subsequent requests
from that client.
The HP NAS VA supports the NT Master Domain model. This allows the HP NAS VA to
participate in a resource domain that is separate from the domain in which users are
authenticated.