Microsoft’
`Windows93_
`ResourcekKit
`
`Petitioner RPX Corporation - Ex. 1020, p. 1
`
`

`

`PUBLISHED BY
`Microsoft Press
`
`A Division of Microsoft Corporation
`One Microsoft Way
`Redmond, Washington 98052-6399
`
`Copyright © 1998 by Microsoft Corporation
`
`Material appearing in chapters 17 and 18 is based on material originally created as:
`Novell-Supplied NetWare Clients: The Benefits,
`Copyright © 1997, 1998 Novell, Inc. All rights reserved.
`Used, reproduced, and distributed with permission from Novell, Inc.
`
`All rights reserved. Nopart of the contents of this book may be reproduced or transmitted in any form orby ary
`means without the written permission of the publisher.
`
`Library of Congress Cataloging-in-Publication Data
`Microsoft Windows 98 Resource Kit / Microsoft Corporation.
`p.
`cm.
`Includes index.
`ISBN 1-57231-644-6
`
`1. Microsoft Windows (Computerfile)
`(Computers)
`I. Microsoft Corporation.
`QA76.76.063M5244
`1998
`005.4'469--de21
`
`2. Operating systems
`
`98-2768
`CIP
`
`Printed and bound in the United States of America.
`
`123456789 WCWC
`
`321098
`
`Distributed in Canada by ITP Nelson, a division of Thomson Canada Limited.
`
`A CIP catalogue record for this book is available from the British Library.
`
`Microsoft Press books are available through booksellers and distributors worldwide. For further information about
`international editions, contact your local Microsoft Corporation office or contact Microsoft Press International
`directly at fax (425) 936-7329. Visit our Website at mspress.microsoft.com.
`
`ActiveX, BackOffice, Direct3D, DirectDraw, DirectInput, DirectPlay, DirectSound, DirectX, DoubleSpace,
`DriveSpace, FrontPage, Microsoft, Microsoft Press, MS-DOS, Natural, Picture It!, PowerPoint, Visual Basic,
`Visual C++, WebBot, Win32, Windows, and Windows NTareregistered trademarks and ActiveMovie,
`Authenticode, DirectAnimation, DirectMusic, DirectShow, JScript, MSN, NetMeeting, NetShow, OpenType, and
`Outlook are trademarks of Microsoft Corporation. Novell and NetWareare registered trademarks of Novell, Inc. in
`the United States and other countries.
`
`Other product and company names mentioned herein may be the trademarks of their respective owners.
`
`The example companies, organizations, products, people, and events depicted herein are fictitious. No association
`with any real company, organization, product, person, or event is intended or should be inferred.
`
`Acquisitions Editors: Casey D. Doyle, David Clark, Anne Hamilton
`Project Editor: Maureen Williams Zimmerman
`
`
`
`Petitioner RPX Corporation - Ex. 1020, p. 2
`
`

`

`355
`
`
`CHAPTER 9
`
`Security
`
`Q
`
`In This Chapter
`
`See Also
`
`This chapter presents an overview of security features provided in Microsoft
`Windows 98. It describes their use, together with security features of Internet
`Explorer version 4.0, in a networking environment.It is intended for system
`administrators and others who have authority to set security levels for network
`clients, and for those who need secure communication over the Internet.
`
`356
`Overview of Security Features
`Security Planning Checklist
`360
`Network Security
`361
`Passwords
`370
`376
`Internet Explorer Security
`Security Features in Outlook Express
`Firewalls
`388
`Distributed Component Object Model
`Troubleshooting Security
`393
`
`383
`
`390
`
`« For information aboutfile and printer sharing services and user-level or share-
`level security, see Chapter 18, “Logon, Browsing, and Resource Sharing.”
`« For information about editing system policies, see Chapter 8, “System -
`Policies.”
`=» For information about security for Internet Explorer, see Chapter 20,
`“Internet Access and Tools.”
`= For information about Distributed Component Object Model (DCOM),
`see Chapter 29, “Windows 98 Network Architecture” and Chapter 25,
`“Application Support.”
`
`Petitioner RPX Corporation - Ex. 1020, p. 3
`
`

`

`356
`
`Microsoft Windows 98 Resource Kit
`
`Overview of Security Features
`Computer security refers to the protection of all components—hardware,
`software, and stored data—of a computeror a group of computers from
`damage,theft, or unauthorized use. A computer security plan that is weil
`thought out, implemented, andmonitored makes authorized computer use
`easy and unauthorized use or accidental damage difficult or impossible.
`
`Personal computing depends increasingly on computers connected through
`networks, and more often through the Internet and intranets, You can use
`Windows 98 security to prevent unauthorized access to shared resources on
`computers in a network. The security features built into Windows 98 are
`described briefly in this section, and in more detail later in the chapter.
`
`Logon Security
`Windows 98 allows users to log on fully. In a networking environment, you can
`set your system up so that when a name and password pair have been validated
`againstthe security authority of a network server, the Windows 98user interface
`is displayed.
`
`Logon Password
`A user can log on to all networks and Windows98 at the sametime. If a user’s
`password for Windows 98 or for another network is the same as the password
`for the primary logon client, Windows 98 automatically logs the user on to
`Windows 98 and all networks using that password.
`
`Note A unified password prompt does not enhancesecurity, but eases logging on
`to the system. As the system administrator, you can require additional passwords
`for a more secure system.
`
`For more information aboutthe logon prompt, see “Using the Windows 98 Logon
`Password”later in this chapter. Once users log on to their machines, they have the
`option to cache their passwords. These passwords are cached in a file with a .pwl
`extension. The file nameis the same as the user’s name. See “Password Caching”
`later in this chapter.
`
`Network Validation
`With system policies, you can prevent users from logging on to Windows 98
`if their Windows NT or Novell NetWare network logonis notvalidated. This
`causes the network logon dialog to appear before, or instead of, the Windows 98
`logon prompt. Also, the user list may not be network wide, but specific to a
`server, and may be different for different servers.
`
`Petitioner RPX Corporation - Ex. 1020, p. 4
`
`

`

`
`
`Chapter9 Security 357
`
`For more information about logon security, see “Network Security”later in
`this chapter. For more information about system policies, see “Using System
`Policies to Enforce Password Security”later in this chapter, and Chapter8,
`“System Policies.”
`
`Shared-Resource Security .
`When a computeris ranning Windows 98 with file and printer sharing services,
`other users can connect to shared printers, volumes,directories, and CD-ROM
`drives on that computer. To protect these shared resources, Windows 98 provides
`user-level and share-level security.
`:
`
`User-Level Security
`With user-level security, a user’s request to access a shared resource is passed
`through to a security provider, such as a Windows NT or NetWareserver.
`The security provider grants or denies the request by checking the requestor’s
`user name and password against a network-wide or server-wide stored list. User-
`level security does not require file and printer sharing services. These accounts
`must be created on the machine providing user-level authentication, such as a
`Windows NT or NetWare server. Windows 98 cannotact as an authentication
`server for user-level security.
`
`This type of security allows fine-grained control over per-user access and allows
`individual accountability. The disadvantages are that you must create a user
`account for each user you want to grant access to, and you must grantthat user
`the access.
`
`,
`
`Share-Level Security
`With share-level security, users assign passwords to their shared resources.
`Any user who can provide the correct password is permitted to access the shared
`resource. The passwordis stored and checked by the computer where the resource
`resides. Share-level security requires file and printer sharing services.
`ee
`Note Any subfolders of the shared folder,if they are also shared, mustbe set with
`the same level of security as the parent folder.
`
`The advantageof this type of security paradigm is thatit allows granting access
`to a broad range of people with very little effort. However, it is not as secure as
`user-level security, because the password is widely distributed and there is no
`notion of personal accountability.
`
`Petitioner RPX Corporation - Ex. 1020, p. 5
`
`

`

`358
`
`Microsoft Windows 98 ResourceKit
`
`Note You cannotuse share-level security on NetWare networks, because the File
`and Printer Sharing for NetWare Networksutility does not support passwords.
`You can limit access, however, by defining a resource as read-only.
`
`Password Controls
`
`In addition to setting up passwordsfor security, Windows98 also provides
`password caching, Password List Editor, and system policies.
`
`Password Caching
`Like unified logon, password caching provides a convenient and secure way to
`access protected resources. The first time a user connects to the resources and
`saves the password, Windows 98 caches the password in a PWL file. Whenever
`the user logs on again, the logon password-unlocks the PWLE file and the resource
`passwordsit contains, and the user then has free access to those resources. If
`password caching is disabled, users must type the password each time they
`connect to a password-protected resource.
`PasswordList Editor
`Password List Editor lets you view resources on a passwordlist. It also lets a user
`view or edit his or her own password file WL). You may then delete a password
`{you cannot view the actual password) so that it can be replaced.
`
`System Policies -
`System policies let you enforce a password policy with some orall of these
`restrictions:
`
`» Disable password caching.
`= Require an alphanumeric Windows 98 logon password.
`» Require a minimum Windows 98 logon password length.
`
`You can also define system policies that prevent users from enabling peer
`resource sharing services arid that enforce other security techniques, such as
`preventing users from configuring system components.
`
`For more information, see “Using System Policies to Enforce Password Security”
`later in this chapter, and Chapier 8, “System Policies.”
`
`Petitioner RPX Corporation - Ex. 1020, p. 6
`
`

`

`
`
`Chapter9 Security 359opA
`
`Internet and Intranet Security
`The Internetis an effective way to communicate and share information with
`others, but with its use comes a greater need for security. The following security
`features make it easier for you to protect your computer and your privacy when
`using the Internet.
`
`Internet Explorer
`Internet Explorer 4.0 has new security options that let you configure a security
`level to a specific Web site according to how muchyoutrust the content of that
`Website. Four security zones are set up in Internet Explorer 4.0. They are:
`
`» An Internet zone that by default contains all Internetsites.
`« A Trusted sites zone to which you can assign Websites youtrust.
`« A Restricted sites zone to which you can assign Web sites you do nottrust.
`» A Local intranet zone for computers connectedto a local area network.
`
`Outlook Express
`Outlook Express includes tools to protect you from fraud, ensure your privacy,
`and prevent unauthorized access to your computer. These tools enable you to
`send and receive secure e-mail messages and to control potentially harmful e-mail
`messages through security zones.
`
`Distributed Component Object Model
`A distributed application consists of multiple processes that cooperate to
`accomplish a single task. The Distributed Component Object Model (DCOM)
`can be used to integrate distributed applications in a network, thus allowing
`specified users to have accessto certain processes.
`
`Firewalls
`A firewall enforces a boundary between networks. The boundary prevents
`unauthorized access of private networks by preventing the passage ofpackets
`
`between networks.
`
`Petitioner RPX Corporation - Ex. 1020, p. 7
`
`

`

`360
`
`Microsoft Windows 98 Resource Kit
`
`Security Planning Checklist
`
`You needto determinethe type of exposureor risk you potentially have, and
`develop a security policy that reflects this level of risk. On the basis ofthat
`analysis, choose products, network technology, and businesspractices for the
`installation, integration, and managementof your system.
`
`Before you integrate Windows 98 security into your network security model,
`consider the following issues:
`
`Whatkind of logon security do you need? Do you allow users to log on
`to Windows 98 and the network with the same password? Do you wantto
`require alphanumeric or minimum-length passwords for the Windows 98 logon
`password? Do you wantto require that users be validated by the network security
`provider before being able to log on to Windows 98? For both Windows NT
`and NetWare networks, you can use system policies to require validation by a
`Windows NT or NetWare server before allowing access to Windows 98 andto
`specify other Windows 98 passwordrestrictions.
`
`What kind of resource protection do you need on Microsoft networks? If you
`enable peer resource sharing, you must decide how to protect those resources
`with share-level or user-level security. User-ievel security provides greater
`security because the network security provider must authenticate the user name
`and password before access to the resource is granted. Share-level security is
`not available for NetWare networks.
`
`For more information about NetWare networks, see Chapter 17, “Windows 98
`on Third-Party Networks.”
`What kinds of accessrights will users have to resources protected by user-level
`security? You can specify the types of rights users or groups of users have to
`resources by setting Sharing properties for the shared resource(such as a folder
`or drive). For example, you can restrict other users to read-only accessto files or
`give them read-access and write-accessto files.
`
`How do you wantto enable user-level security? You can enable security in a
`setup script or in system policies. If you enable user-level security in either a
`setup script or Control Panel, remote administration is enabled by default for
`domain administrators on a Windows NT network andfor supervisors on a
`NetWare network.
`
`Should password caching be allowed? You can use system policies to disable
`password caching and thus require users to type a password each time they access
`a password-protected resource,
`
`Petitioner RPX Corporation - Ex. 1020, p. 8
`
`

`

`Chapter9 Security
`
`361
`
`Should users be able to change Control Panelsettings? You can use system
`policies to restrict users’ ability to change the configuration of system
`components, their desktops, applications, or network connections in the
`Control Panel folder.
`
`Doesa particular hard disk need extra protection? Windows 98 security
`obstructs hacking over the network; butif a person has physical access to the
`computer,critical data could still be taken from the hard disk where it resides
`by using Safe Modeora floppy disk to start the workstation. If specific data
`requires greater levels of security, you should store critical files on a secure
`server. If computers require greater levels of security, Windows NT Workstation
`is recommended, becauseit provides a meansto protect resources on a hard disk
`based on a user’s identity.
`
`Are there applications that should not be run? You may needtorestrict accessto
`someapplications while supplying access to other applications in your system. To
`implementthis type of security, use system policies. You can also restrict access
`to parts of an application by using DCOM.
`Do certain processes of an application need protection? If security is required
`for a distributed application—that is, one whose componentprocesses are
`distributed over more than one computer in the network—-use DCOM. DCOM
`providesthe structure to share applications at the component ievel between a
`server and clients. The components can be shared overthe Internet or an intranet.
`Using DCOMtoseta security level for the application automatically applies that
`security level to each component, whereverlocated.
`
`Should Internet or intranet access be limited? You may need to limit access
`to certain sites on the Internet and on your intranet. To implementthis type of
`security, use Internet Explorer security features.
`
`Network Security
`Windows 98 allows users to log on fully. The first thing most users encounter
`after booting their Windows98 systemsis a logon dialog box, which varies
`depending onthe type of network. Once the proper user name and password are
`validated against the security authority of the network server, the Windows 98
`user interface is displayed.
`System administrators can configure the Windows 98 system to allow éntry into
`the operating system with no network access (this configuration is the default). As
`an alternative solution to this problem, system administrators can specify guest
`accounts that-have limited network access.
`
`Petitioner RPX Corporation - Ex. 1020, p. 9
`
`

`

`362
`
`Microsoft Windows 98 ResourceKit
`
`The Windows 98 user logon should not be construed as a mechanism to fully
`secure personal computers. Because personal computersarestill vulnerable to a
`floppy boot, all data stored ontheir disks is potentially available. The underlying
`file system in Windows98 is the MS-DOSfile allocation table (FAT) file system,
`which has no built-in encryption or other security mechanisms.
`
`Network resources are secured under Windows 98 using the same security
`mechanisms employed by network servers on corporate networks. The user
`name and password in Windows 98 can be configured to be the same as those
`used by the network server. By doing this, the network manager can control
`network access, provide user-level security for access to shared resources on the
`local computer, control the various agents in Windows 98, and limit who has
`remote administration authority on this Windows 98 system.In this fashion,
`Windows 98 leverages the existing investment in network servers, management
`tools, utilities, and infrastructure. System administrators can manage user
`accounts centrally on the server, just as they always have. They can also use
`familiar tools for managing user accounts.
`
`Implementing Network Security
`Implementing security in a Windows 98 networking environmentinvolves the
`following types of activity:
`
`«
`
`« Define user accounts on a network server or domain controller for user-level
`security. For more information, see the documentation for the software on the
`network security provider.
`Install file and printer sharing services, and then enable user-level or share-
`level security.
`« Define access rights for resources protected by user-level security.
`« Make the Windows 98 logon password and network logon password the
`same. Disable password caching if you do not want this feature. For more
`information, see “Using the Windows 98 Logon Password” and “Using the
`Windows 98 Password Cache”later in this chapter.
`« Define system policies to restrict users’ ability to configure the system or
`shared resources, and to enforce password policies.
`= Define Internet and intranet security zones. For more information, see “Setting
`Up Security Zones” later in this chapter.
`
`Sharing Resources
`Windows 98 provides share-levelor, alternatively, user-level security for
`protecting shared resources on computers running Windows 98 (the share
`level requires file and printer sharing services).
`
`Petitioner RPX Corporation - Ex. 1020, p. 10
`
`

`

`
`
`Chapter9 Security 363
`
`Share-level security protects shared network resources on the computer running
`Windows 98 with individually assigned passwords, For example, you can assign
`a password to a folder or a locally attachedprinter. If other users wantto accessit,
`they needto type in the appropriate password.If you do notassign a password to
`a shared resource, every user with access to the network can access that resource.
`
`User-level security protects shared network resources by requiring that a security
`provider authenticate a user’s request to access resources. The security provider,
`such as a Windows NT domain controller or a NetWare server, grants access to
`the shared resource by verifying that the user name and passwordare the same as
`those on the user accountlist stored on the network security provider. Because the
`security provider maintains a network-widelist of user accounts and passwords,
`each computer running Windows 98 doesnot haveto store a list of accounts.
`
`Note For Microsoft networks, the security provider must be a Windows NT
`domain or workstation. For NetWare networks, it must be either a NetWare 4.x
`server running bindery emulation or a NetWare 3.x server.
`
`Figure 9.1 shows howuser-level security works for Microsoft networks. The
`reference numbers are explainedafter the illustration.
`
`Network server
`(security provider)
`
`Joe's
`
`
`
`Figure 9.1 User-level security
`
`1. Joe’s computer is running Windows98. Joe enters a password to access a
`shared resource protected by user-level security.
`2. The Windows 98 computer passes a request to the server (security provider)
`to authenticate Joe’s identity.
`3. The security provider sends a verification to the computerif Joe’s name and
`password combination are valid.
`4. Windows 98 grants access to the shared resource according to rights assigned
`to Joe on the Sharing property sheet for that resource.
`
`Petitioner RPX Corporation - Ex. 1020, p. 11
`
`

`

`364
`
`Microsoft Windows 98 ResourceKit
`
`Joe’s password is stored on his computer’s PWL file to be used for authentication
`when he accesses that resource again. He will not be prompted for the password
`again during that session. When he logs off, the computer will erase his password
`from thefile.
`
`Setting Up Security for Shared Resources
`Before a user can share a resource on a computer running Windows98,the
`computer must be configured for share-level or user-level security, and file
`and printer sharing services must be installed by using the Network option in
`Control Panel. Configuring share-level or user-level securityis described
`briefly in the following sections, and in Chapter 18, “Logon, Browsing, and
`Resource Sharing.”
`
`Note Share-level security is not available on NetWare networks.
`
`> To set up share-levelsecurity
`1. Install File and Printer Sharing for Microsoft Networks, as descfibed in the
`“Installing Peer Resource Sharing” section of Chapter 18, “Logon, Browsing,
`and Resource Sharing.”
`2, On the computer that hosts the resource to be shared, in Control Panel, double-
`click Network, and then click the Access Controltab.
`3. Click Share-level access control, and then click OK.
`
`.
`
`> Toset up user-level security on a Microsoft network
`1. Install File and Printer Sharing for Microsoft Networks, as described in the
`“Installing Peer Resource Sharing” section of Chapter 18, “Logon, Browsing,
`and Resource Sharing.”
`2. In Control Panel, double-click Network, and then click the Access Control
`tab.
`
`3. Click User-level access control,
`
`4, In the User-level access control box, type the name of the Windows NT
`domain or Windows NT workstation where the user accounts reside.
`
`5. Click OK.
`
`> To set up user-level security on a NetWare network.
`1. Install File and Printer Sharing for NetWare Networks, as described in the
`“Installing Peer Resource Sharing” section of Chapter 18, “Logon, Browsing,
`and Resource Sharing.”
`2. In Control Panel, double-click Network, and then click the Access Control
`tab.
`
`Petitioner RPX Corporation - Ex. 1020, p. 12
`
`

`

`Chapter 9 Security
`
`365
`
`3. Click User-level access control.
`4, In the User-level access control box, type the name of the NetWareserver.
`5. Click OK.
`
`Forinformation about specifying values for security in custom setup scripts, see
`Appendix D, “Msbatch.inf Parameters for Setup Scripts.” For information about
`using System Policy Editor to set user-level security and other security options,
`see Chapter8, “System Policies.”
`
`Using Share-Level Security
`You can restrict access to resources such as a shared folderor a printer by either
`defining it as read-only or assigning a password to it.
`
`To share a folder or printer with share-level security
`1. In Windows Explorer, right-click the folder or printer to be shared, and then
`click Properties.
`2. In the Properties menu,click the Sharingtab.
`3. Click Shared As, and type the resource’s share name.
`The shared resource name will be the computer name plus the share name. For
`example, inthe following screen shot, if the computer name is mycomputer,
`
`this shared resource is \wnycomputer\mydocuments.
`
`Petitioner RPX Corporation - Ex. 1020, p. 13
`
`

`

`366
`
`Microsoft Windows 98 Resource Kit
`
`4. Specify whether you want users to have read-only or full access to this
`resource.
`
`Note There is no read-only share-level access for a printer or remote
`administration.
`
`5. Type the password for the specified access, and click OK.
`
`
`Tip You can share a folder but hide it from the Network Neighborhood browsing
`list by adding a dolar sign ($) to the end of its share name (for example,
`PRIVATES},
`
`Using User-Level Security
`Windows 98 uses the logon process to provide user-level security for a variety of
`services beyond network resource access, including the following services that are
`remotely accessible:
`
`4
`
`= Fie and printer sharing.
`= Dial-up network access gateway control.
`= Backup.
`« Network and system management.
`
`Pass-through security is implemented in Windows 98 as the mechanism to
`enable user-level security. Pass-through literally means that Windows 98
`passes authentication requests through to a Windows NT or NetWareserver.
`Windows98 does not implementits own unique user-level security mechanism
`but instead uses the services of an existing server on the network.
`
`Enabling pass-through security is a two-step process.First, user-level security
`must be enabled using the Control Panel. Second, the device must be shared,
`and users with access privileges must be specified. Right-clicking the drive C
`icon in My Computer and selecting Properties from the Shortcut menu displays
`a property sheet that shows which shares already exist and which users have
`access, It also allows new devices to be shared and new users to be added to
`specific shares. The Windows NTserver or the NetWare bindery supplies the
`user nameslisted in this property sheet.
`
`For more information aboutfile and printer sharing, see Chapter 18, “Logon,
`Browsing, and Resource Sharing.”
`
`Petitioner RPX Corporation - Ex. 1020, p. 14
`
`

`

`Chapter? Security
`
`367
`
`The Remote Administration function of a Windows 98 personal computer
`specifies the users or groups who have authority to manage the Windows 98
`system, including the following:
`
`Dial-up network access gateway control.
`Backup.
`Remote access to the registry.
`Remoie NetWatcher access.
`
`Remoie system performance monitoring.
`
`Remote Administration is controlled through the Passwords option in Control
`Panel. For more information about Remote Administration, see Chapter 23,
`“System and Remote Administration Tools.”
`
`For each network resource governed by user-level security, there is a list of users
`and groups that can access that resource.
`
`To share a resource with user-level security
`1.
`In Windows Explorer or My Computer, right-click the icon for the resource to
`be shared, and then click Properties.
`2. In the Properties menu,click the Sharingtab.
`. Click Add.
`
`.
`
`In the Add Users dialog box, click a user or group, and then assign access
`rights as described in the following paragraphs.
`Assign, for each user, a set of rights for the resource. The kindsof rights that
`you assign depend on the kind of resource you are securing:
`« For shared directories, you can let a user have read-only access,full access,
`or custom access. Within custom access, you can grant the user any orall
`of the following rights: read, write, create, list, delete, change file
`attributes, and change accessrights,
`-
`Forshared printers, a user either has the right to access the printer or not.
`=
`« For remote administration, a user either has the right to be an administrator
`” or not as defined in the Passwords option in Control Panel.
`Permissions are enforced for a resource as follows:
`
`»
`»
`
`»
`
`Jf the user has explicit rights to the resource, those rights are enforced.
`Ifthe user does not have explicit rights to the resource, the permissions
`are determined by takingall of the rights of each group to which the user
`belongs.
`Ifnoneof the groups to which the user belongs has anyrights to that
`resource, the user is not granted access to the resource.
`
`Petitioner RPX Corporation - Ex. 1020, p. 15
`
`

`

`368
`
`Microsoft Windows 98 ResourceKit
`
`When youdo not explicitly assign access rights to a file or folder, Windows 98
`uses implied rights. Jmplied rights are those assigned to the nearest parent folder
`ofafile or folder. If none of the parent folders (up to and including the root
`directory of the drive) have explicit rights, no access is allowed.
`
`
`Note Implied rights are displayed automatically on the property sheet for the
`shared file or folder.
`
`Specifying Folder Access Rights in User-Level Security
`Accessrights specify what a user can do in a folder protected by user-level
`security. The access rights you define for a folder apply to ail of its subfolders.
`You cannot, however, assign access rights to individual files in Windows98.
`(Both Windows NT and NetWarelet you assign accessrights to files.)
`
`
`Note Any subfolders of the shared folder, if they are also shared, mustbe set with
`the same level of security as the parent folder.
`
`For each folder, you can assign read-only, full, or custom access. Custom access
`lets you further specify exactly what each,user or group can doin the folder, as
`specified in Table 9.1.
`
`Table 9.1 Custom access options
`Required permissions
`Readfiles
`
`File operation
`Read from a closed file
`
`See a file name
`
`Search a folderforfiles
`
`Write to a closed file
`
`Run an executablefile
`
`Create and write to a file
`
`Copyfiles from a folder
`Copy files to a folder
`Make a new folder
`
`Deletea file
`
`Remove a folder
`
`List files
`
`List files
`
`Write, create, delete, changefile attributes
`
`Read,list files
`Create files
`
`Read,list files
`
`Write, create, list files
`Create files
`
`Delete files
`
`Delete files
`
`Changefolderorfile attributes
`Renamea file or folder
`
`Change access rights
`
`Changefile attributes
`Changefile attributes
`Change access control
`
`Petitioner RPX Corporation - Ex. 1020, p. 16
`
`

`

`
`
`Chapter9 Security 369
`
`>» To define custom access
`
`1, Open the Add Users dialog box in a shared resource’s properties (described
`in the procedure, “To share a resource with user-level security” earlier in this
`chapter).
`2. In the Add Usersdialog box,click a user or group, click Custom, and then
`click OK.
`
`3.
`
`In the Add Users dialog box, click a user or group from the Namelist, and
`then click Custom.
`
`4, In the Change Access Rights dialog box,click the type of rights the user or
`group of users may have in the folder, and then click OK.
`5. To removea user or group of users, click that user or group, and then click
`Remove.
`
`6. To edit the access rights for a user or group of users, click that user or group,
`and then click Edit.
`
`Managing UserLists
`Windows 98 user-level security depends on a list of accounts and groups located
`on a security provider. You cannot add or remove users and groups from the
`security providerlist by using Windows 98 tools. However, you can do this by
`running User Manager for a Windows NT domain, SYSCON for NetWare 3-x,
`and NETADMIN for NetWare 4.x in a NetWare bindery environment. You can
`use these tools on a computer running Windows 98. These tools are provided by
`the respective vendors and not by Windows 98. Under Windows 98, you specify
`what rights users have to specific resources on the local computer as described in
`“Using Share-Level Security” earlier in this chapter. For more information about
`changing a user’s access rights, see “Specifying Folder Access Rights in User-
`Level Security” earlier in this chapter.
`
`Note Although Windows NT networks allow multiple domains, a computer
`running-Windows 98 can specify only one domain for user-level security.
`However, you.can set permissions for users or groups from any domain in the
`Sharing properties for the shared resource, as long as the two domains have a
`proper trust relationship. Also, rights may include user accounts from different
`trusted domains. To use a trust relationship to access multiple domains, you
`should consult the Microsoft Windows NT Server 4.0 Concepts and Planning
`Guide, part of the Windows NT Server documentation set.
`
`Petitioner RPX Corporation - Ex. 1020, p. 17
`
`

`

`370
`Microsoft Windows 98 Resource Kit
`
`Managing Security for Windows 98 in NetWare Bindery
`Environmenis
`NetWare 3.x servers store all the information about users, groups, passwords, and
`tights in a database stored on the server called the bindery. NetWare 4.x servers
`can appear to have a bindery through