DOCUMENT:Q140556 13-JUN-2001 [sna] TITLE :Securing SNA Server to Not Require Everyone:Read Access PRODUCT :Microsoft SNA Server PROD/VER::2.0,2.1,2.11 OPER/SYS: KEYWORDS:kbinterop kbnetwork kbsetup ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft SNA Server, versions 2.0, 2.1, 2.11, on platform(s): - the operating system: Microsoft Windows NT ------------------------------------------------------------------------------- SUMMARY ======= By default, SNA Server requires that at least Everyone has read access on the COMCFG share (\SYSTEM\COMCFG) that SNA Server creates during Setup. Administrators may want to prevent read access so that unprivileged users do not copy the \SYSTEM\COMCFG\COM.CFG to view its contents; this article explains how to do that. NOTE: The SNA Server 3.0 setup program allows the administrator to install SNA Server services to run under a user account, and automatically performs all the steps described in this article. So, this is not an issue with SNA Server 3.0 when this setup option is chosen. MORE INFORMATION ================ 1. Create a user that is a member of the "Domain Admins" global group and "Administrators" local group. 2. Using User Manager for Domains, add "Domain Admins" and "Administrators" to the following rights: - Manage Auditing and security log - Take ownership of files or other objects - Act as Part of the Operating System - Generate Security Audits - logon as a service - backup and restore 3. Using the Services applet in Control Panel, configure each SNA Server service to start in the context of the user that was just created in step 1. Do this for every SNA Server in the subdomain. 4. In File Manager, a. remove the Everyone group and b. add this newuser with Full Control to the following shares: Share: Directory ------------------------ snaserv \ comlogs \system\ COMCFG \system\COMCFG\ Repeat step 4 for each SNA Server in the subdomain. 5. Stop and start the SNABase service on each SNA Server in the subdomain. Warning: Stopping the SNABase service on a particular machine will stop all SNA Server services on that machine. 6. Test changes. - To test whether SNA Server is still normally operating with the above changes in place: - Note the date/time of the \SYSTEM\COMCFG\COM.CFG on the Primary SNA Server. - Load SNA Admin on the primary SNA Server. - Click the save button in SNA Admin. - Note the change in date/time of the COM.CFG on the primary SNA Server. - After a couple of seconds, the date/time of the \SYSTEM\COMCFG\COM.CFG on one of the Backup SNA Servers should match the new date/time on the primary. - To test whether SNA Server is denying access to users that are not members of the Domain Administrators group: - Logoff the backup SNA Server. - Logon as a Domain User. - Launch SNA Server Admin. - The user should receive the following error message: Error : 250 The SNA Server Base Service is not started. Unable to continue. - To test that Domain Users cannot get to the SNA Server shares to read SNA Server system binaries and COM.CFG: - Logon as a Domain User. - Try to "net use" to the following shares: \\Any_sna_server\snaserv \\Any_sna_server\comlogs \\Any_sna_server\COMCFG The result should be that the user is able to map the drive but the following should appear in File Manager: You do not have permission to access this directory. NOTE: If the password is changed for this user, then the administrator will have to change the password with Service Control Manager for each SNA Server service on each SNA Server in the subdomain. One way to prevent having to do this is to select "Password Never Expires" for this user in User Manager for Domains. Additional query words: prodsna ====================================================================== Keywords : kbinterop kbnetwork kbsetup Technology : kbAudDeveloper kbSNAServSearch Version : :2.0,2.1,2.11 Issue type : kbinfo ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.