Microsoft®
`
`Windows©8_
`ResourceKIt _
`
`Petitioner RPX Corporation - Ex. 1020, p. 1
`
`

`

`PUBLISHED BY
`Microsoft Press
`
`A Division of Microsoft Corporation
`One Microsoft Way
`Redmond, Washington 98052-6399
`
`Copyright © 1998 by Microsoft Corporation
`
`Material appearing in chapters 17 and 18 is based on material originally created as:
`Novell-Supplied NetWare Clients: The Benefits,
`Copyright © 1997, 1998 Novell, Inc. All rights reserved.
`Used, reproduced, and distributed with permission from Novell, Inc.
`
`All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any
`means without the written permission of the publisher.
`
`Library of Congress Cataloging-in—Publication Data
`Microsoft Windows 98 Resource Kit / Microsoft Corporation.
`p.
`cm.
`Includes index.
`ISBN 1-57231-644-6
`
`1. Microsoft Windows (Computer file)
`(Computers)
`1. Microsoft Corporation.
`QA76.76.063M5244
`1998
`005.4'469--dc21
`
`2. Operating systems
`
`98-2768
`CIP
`
`Printed and bound in the United States of America.
`
`12 3456789 WCWC
`
`321098
`
`Distributed in Canada by ITP Nelson, a division of Thomson Canada Limited.
`
`A CIP catalogue record for this book is available from the British Library.
`
`Microsoft Press books are available through booksellers and distributors worldwide. For further information about
`international editions, contact your local" Microsoft Corporation office or contact Microsoft Press International
`directly at fax (425) 936-7329. Visit our Web site at mspressmicrosofteom.
`
`ActiveX, BackOffice, Direct3D, DirectDraw, DirectInput, DirectPlay, DirectSound, DirectX, DoubleSpace,
`DriveSpace, FrontPage, Microsoft, Microsoft Press, MS-DOS, Natural, Picture It!, PowerPoint, Visual Basic,
`Visual C++, WebBot, Win32, Windows, and Windows NT are registered trademarks and ActiveMovie,
`Authenticode, DirectAnimation, DirectMusic, DirectShow, JScript, MSN, NetMeeting, NetShow, OpenType, and
`Outlook are trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of Novell, Inc. in
`the United States and other countries.
`
`Other product and company names mentioned herein may be the trademarks of their respective owners.
`
`The example companies, organizations, products, people, and events depicted herein are fictitious. No association
`with any real company, organization, product, person, or event is intended or should be inferred.
`
`Acquisitions Editors: Casey D. Doyle, David Clark, Anne Hamilton
`Project Editor: Maureen Williams Zimmerman
`
`
`
`Petitioner RPX Corporation - Ex. 1020, p. 2
`
`

`

`355
`
`
`CHAPTER 9
`
`Security
`
`9 |
`
`This chapter presents an overview of security features provided in Microsoft
`Windows 98. It describes their use, together with security features of Internet
`Explorer version 4.0, in a networking environment. It is intended for system
`administrators and others who have authority to set security levels for network
`clients, and for those who need secure communication over the Internet.
`
`In This Chapter
`
`Overview of Security Features
`Security Planning Checklist
`Network Security
`361
`Passwords
`370
`
`356
`360
`
`376
`Internet Explorer Security
`Security Features in Outlook Express
`Firewalls
`388
`
`Distributed Component Object Model
`Troubleshooting Security
`393
`
`383
`
`390
`
`See Also
`
`I For information about file and printer sharing services and user-level or share-
`level security, see Chapter 18, “Logon, Browsing, and Resource Sharing.”
`
`. For information about editing system policies, see Chapter 8, “System -
`Policies.”
`
`- For information about security for Internet Explorer, see Chapter 20,
`“Internet Access and Tools.”
`
`- For information about Distributed Component Object Model (DCOM),
`see Chapter 29, “Windows 98 Network Architecture” and Chapter 25,
`“Application Support.”
`
`Petitioner RPX Corporation - Ex. 1020, p. 3
`
`

`

`356
`
`Microsoft Windows 98 Resource Kit
`
`Overview of Security Features
`Computer security refers to the protection of all components—hardware,
`software, and stored data—of a computer or a group of computers from
`damage, theft, or unauthorized use. A computer security plan that is well
`thought out, implemented, and-monitored makes authorized computer use
`easy and unauthorized use or accidental damage difficult or impossible.
`
`Personal computing depends increasingly on computers connected through
`networks, and more often through the Internet and intranets. You can use
`Windows 98 security to prevent unauthorized access to shared resources on
`computers in a network. The security features built into Windows 98 are
`described briefly in this section, and in more detail later in the chapter.
`
`Logon Security
`Windows 98 allows users to log on fully. In a networking environment, you can
`set your system up so that when a name and password pair have been validated
`against the security authority of a network server, the Windows 98‘user interface
`is displayed.
`
`Logon Password
`A user can log on to all networks and Windows 98 at the same time. If a user’s
`password for Windows 98 or for another network is the same as the password
`for the primary logon client, Windows 98 automatically logs the user on to
`Windows 98 and all networks using that password.
`
`Note A unified password prompt does not enhance security, but eases logging on
`to the system. As the system administrator, you can require additional passwords
`for a more secure system.
`
`For more information about the logon prompt, see “Using the Windows 98 Logon
`Password” later in this chapter. Once users 10g on to their machines, they have the
`option to cache their passwords. These passwords are cached in a file with a .pwl
`extension. The file name is the same as the user’s name. See “Password Caching”
`later in this chapter.
`
`Network Validation
`
`With system policies, you can prevent users from logging on to Windows 98
`if their Windows NT or Novell NetWare network logon is not validated. This
`causes the network logon dialog to appear before, or instead of, the Windows 98
`logon prompt. Also, the user list may not be network wide, but specific to a
`server, and may be different for different servers.
`
`Petitioner RPX Corporation - Ex. 1020, p. 4
`
`

`

`
`
`Chapter 9 Security 357
`
`For more information about logon security, see “Network Security” later in
`this chapter. For more information about system policies, see “Using System
`Policies to Enforce Password Security” later in this chapter, and Chapter 8,
`“System Policies.”
`
`Shared-Resource Security .
`When a computer is running Windows 98 with file and printer sharing services,
`other users can connect to shared printers, volumes, directories, and CD-ROM
`drives on that computer. To protect these shared resources, Windows 98 provides
`user-level and share-level security.
`‘
`
`User-Level Security
`With user-level security, a user’s request to access a shared resource is passed
`through to a security provider, such as a Windows NT or NetWare server.
`The security provider grants or denies the request by checking the requestor’s
`user name and password against a network-wide or server—wide stored list. User-
`level security does not require file and printer sharing services. These accounts
`must be created on the machine providing user-level authentication, such as a
`Windows NT or NetWare server. Windows 98 cannot act as an authentication
`server for user—level security.
`
`This type of security allows fme-grained control over per—user access and allows
`individual accountability. The disadvantages are that you must create a user
`account for each user you want to grant access to, and you must grant that user
`the access.
`
`_.
`
`Share-Level Security
`With share-level security, users assign passwords to their shared resources.
`Any user who can provide the correct password is permitted to access the shared
`resource. The password is stored and checked by the computer where the resource
`resides. Share-level security requires file and printer sharing services.
`
`
`,
`
`'
`
`Note Any subfolders of the shared folder, if they are also shared, must be set with
`the same level of security as the parent folder.
`
`The advantage of this type, of security paradigm is that it allows granting access
`to a broad range of people with very little effort. However, it is not as secure as
`user—level security, because the password is widely distributed and there is no
`notion of personal accountability.
`
`Petitioner RPX Corporation - Ex. 1020, p. 5
`
`

`

`358
`
`Microsoft Windows 98 Resource Kit
`
`Note You cannot use share-level security on NetWare networks, because the File
`and Printer Sharing for NetWare Networks utility does not support passwords.
`You can limit access, however, by defining a resource as read—only.
`
`Password Controls
`
`In addition to setting up passwords for security, Windows 98 also provides
`password caching, Password List Editor, and system policies.
`
`Password Caching
`Like unified logon, password caching provides a convenient and secure way to
`access protected resources. The first time a user connects to the resources and
`saves the password, Windows 98 caches the password in a PWL file. Whenever
`the user logs on again, the logon password~unlocks the PWL file and the resource
`passwords it contains, and the user then has free access to those resources. If
`password caching is disabled, users must type the password each time they
`connect to a password-protected resource.
`I‘
`
`Password Lis‘t Editor
`
`Password List Editor lets you view resources on a password list. It also lets a user
`view or edit his or her own password file (PWL). You may then delete a password
`(you cannot view the actual password) so that it can be replaced.
`
`System Policies ,
`System policies let you enforce a password policy with some or all of these
`restrictions:
`
`- Disable password caching.
`
`- Require an alphanumeric Windows 98 logon password.
`
`- Require a minimum Windows 98 logon password length.
`
`You can also define system policies that prevent users from enabling peer
`resource sharing services and that enforce other security techniques, such as
`preventing users from configuring system components.
`
`For more information, see “Using System Policies to Enforce Password Security”
`later in this chapter, and Chapter 8, “System Policies.”
`
`Petitioner RPX Corporation - Ex. 1020, p. 6
`
`

`

`359
`Chapter 9 Security
`___________________,—___—._..—_———-—---—-———~--——
`
`Internet and Intranet Security
`The Internet is an effective way to communicate and share information with
`others, but with its use comes a greater need for security. The following security
`features make it easier for you to protect your computer and your privacy when
`using the Internet.
`
`Internet Explorer
`Internet Explorer 4.0 has new security options that let you configure a security
`level to a specific Web site according to how much you trust the content of that
`Web site. Four security zones are set up in Internet Explorer 4.0. They are:
`
`I An Internet zone that by default contains all Internet sites.
`
`- A Trusted sites zone to which you can assign Web sites you trust.
`
`- A Restricted sites zone to which you can assign Web sites you do not trust.
`
`- A Local intranet zone for computers connected to a local area network.
`
`Outlook Express
`Outlook Express includes tools to protect you from fraud, ensure your privacy,
`and prevent unauthorized access to your computer. These tools enable you to
`send and receive secure e-mail messages and to control potentially harmful e-mail
`messages through security zones.
`
`Distributed Component Object Model
`A distributed application consists of multiple processes that cooperate to
`accomplish a single task. The Distributed Component Object Model (DCOM)
`can be used to integrate distributed applications1n a network, thus allowing
`specified users to have access to certain processes.
`
`Firewalls
`
`A firewall enforces a b0undary between networks. The boundary prevents
`unauthorized access of private networks by preventing the passage of packets
`between networks.
`-
`
`Petitioner RPX Corporation - Ex. 1020, p. 7
`
`

`

`
`
`360 Microsoft Windows 98 Resource Kit
`
`Security Planning Checklist
`You need to determine the type of exposure or risk you potentially have, and
`develop a security policy that reflects this level of risk. On the basis of that
`analysis, choose products, network technology, and business practices for the
`installation, integration, and management of your system.
`
`Before you integrate Windows 98 security into your network security model,
`consider the following issues:
`
`What kind of Iogon security do you need? Do you allow users to log on
`to Windows 98 and the network with the same password? Do you want to
`require alphanumeric or minimum-length passwords for the Windows 98 logon
`password? Do you want to require that users be validated by the network security
`provider before being able to log on to Windows 98'? For both Windows NT
`and NetWare networks, you can use system policies to require validation by a
`Windows NT or NetWare server before allowing access to Windows 98 and to
`specify other Windows 98 password restrictions.
`
`What kind of resource protection do you need on Microsoft networks? If you
`enable peer resource sharing, you must decide how to protect those resources
`with share-level or user-level security. User-level security provides greater
`security because the network security provider must authenticate the user name
`and password before access to the resource is granted. Share—level security is
`not available for NetWare networks.
`
`For more information about NetWare networks, see Chapter 17, “Windows 98
`on Third-Party Networks.”
`
`What kinds of access rights will users have to resources protected by user-level
`security? You can specify the types of rights users or groups of users have to
`resources by setting Sharing properties for the shared resource (such as a folder
`or drive). For example, you can restrict other users to read-only access to files or
`give them read-access and write-access to files.
`
`How do you want to enable user-level security? You can enable security in a
`setup script or in system policies. If you enable user-level security in either a
`setup script or Control Panel, remote administration is enabled by default for
`domain administrators on a Windows NT network and for supervisors on a
`NetWare network.
`
`Should password caching be allowed? You can use system policies to disable
`password caching and thus require users to type a password each time they access
`a password-protected resource.
`
`Petitioner RPX Corporation - Ex. 1020, p. 8
`
`

`

`361
`Chapter 9 Security
`____#___________,_._._._._._———-—————--——-
`
`Should users be able to change Control Panel settings? You can use system
`policies to restrict users’ ability to change the configuration of system
`components, their desktops, applications, or network connections in the
`Control Panel folder.
`
`Does a particular hard disk need extra protection? Windows 98 security
`obstructs hacking over the network; but if a person has physical access to the
`computer, critical data could still be taken from the hard disk where it resides
`by using Safe Mode or a floppy disk to start the workstation. If specific data
`requires greater levels of security, you should store critical files on a secure
`server. If computers require greater levels of security, Windows NT Workstation
`is recommended, because it provides a means to protect resources on a hard disk
`based on a user’s identity.
`'
`
`Are there applications that should not be run? You may need to restrict access to
`some applications while supplying access to other applications in your system. To
`implement this type of security, use system policies. You can also restrict access
`to parts of an application by using DCOM.
`
`Do certain processes of an application need protection? If security is required
`for a distributed application—-that is, one whose component processes are
`distributed over more than one computer in the networkuuse DCOM. DCOM
`provides the structure to share applications at the component level between a
`server and clients. The components can be shared over the Internet or an intranet.
`Using DCOM to set a security level for the application automatically applies that
`security level to each component, wherever located.
`
`Should Internet or intranet access be limited? You may need to limit access
`to certain sites on the Internet and on your intranet. To implement this type of
`security, use Internet Explorer security features.
`
`Network Security
`Windows 98 allows users to log on fully. The first thing most users encounter
`after booting their Windows 98 systems is a logon dialog box, which varies
`depending on the type of network. Once the proper user name and password are
`validated against the security authority of the network server, the Windows 98
`user interface is displayed.
`
`System administrators can configure the Windows 98 system to allow entry into
`the operating system with no network access (this configuration is the default). As
`an alternative solution to this problem, system administrators can specify guest
`accounts that’have limited network access.
`,
`
`Petitioner RPX Corporation - Ex. 1020, p. 9
`
`

`

`
`
`362 Microsoft Windows 98 Resource Kit
`
`The Windows 98 user logon should not be construed as a mechanism to fully
`secure personal computers. Because personal computers are still vulnerable to a
`floppy boot, all data stored on their disks is potentially available. The underlying
`file system in Windows 98 is the MS—DOS file allocation table (FAT) file system,
`which has no built—in encryption or other security mechanisms.
`
`Network resources are secured under Windows 98 using the same security
`mechanisms employed by network servers on corporate networks. The user
`name and password in Windows 98 can be configured to be the same as those
`used by the network server. By doing this, the network manager can control
`network access, provide user—level security for access to shared resources on the
`local computer, control the various agents in Windows 98, and limit who has
`remote administration authority on this Windows 98 system. In this fashion,
`Windows 98 leverages the existing investment in network servers, management
`tools, utilities, and infrastructure. System administrators can manage user
`accounts centrally on the server, just as they always have. They can also use
`familiar tools for managing user accounts.
`
`"
`.
`Implementing Network Security
`Implementing security in a Windows 98 networking environment involves the
`following types of activity:
`
`- Define user accounts on a network server or domain controller for user-level
`
`security. For more information, see the documentation for the software on the
`network security provider.
`
`I
`
`Install file and printer sharing services, and then enable user—level or share-
`level security.
`
`I Define access rights for resources protected by user-level security.
`
`I Make the Windows 98 logon password and network logon password the
`same. Disable password caching if you do not want this feature. For more
`information, see “Using the Windows 98 Logon Password” and “Using the
`Windows 98 Password Cache” later in this chapter.
`
`- Define system policies to restrict users’ ability to configure the system or
`shared resources, and to enforce password policies.
`
`- Define Internet and intranet security zones. For more information, see “Setting
`Up Security Zones” later in this chapter.-
`
`Sharing Resources
`Windows 98 provides share-level or, alternatively, user-level security for
`protecting shared resources on computers running Windows 98 (the share
`level requires file and printer sharing services).
`
`Petitioner RPX Corporation - Ex. 1020, p. 10
`
`

`

`
`
`Chapter 9 Security 363
`
`Share-level security protects shared network resources on the computer running
`Windows 98 with individually assigned passwords. For example, you can assign
`a password to a folder or a locally attached printer. If other users want to access it,
`they need to type in the appropriate password. If you do not assign a password to
`a shared resource, every user with access to the network can access that resource.
`
`User—level security protects shared network resources by requiring that a security
`provider authenticate a user’s request to access resources. The security provider,
`such as a Windows NT domain controller or a NetWare server, grants access to
`the shared resource by verifying that the user name and password are the same as
`those on the user account list stored on the network security provider. Because the
`security provider maintains a network—wide list of user accounts and passwords,
`each computer running Windows 98 does not have to store a list of accounts.
`
`
`Note For Microsoft networks, the security provider must be a Windows NT
`domain or workstation. For NetWare networks, it must be either a NetWare 4.x
`server running bindery emulation or a NetWare 3.x server.
`
`Figure 9.1 shows how user-level security works for Microsoft networks. The
`reference numbers are eXplained after the illustration.
`
`Joe’s
`
`Network server
`(security provider)
`
` Windows 98
`
`computer
`
`
`Figure 9.1 User-level security
`
`1. Joe’s computer is running Windows 98. Joe enters a password to access a
`shared resource protected by user-level security.
`
`2. The Windows 98 computer passes a request to the server (security provider)
`to authenticate Joe’s identity.
`
`3. The security provider sends a verification to the computer if Joe’s name and
`password combination are valid.
`
`4. Windows 98 grants access to the shared resource according to rights assigned
`to Joe on the Sharing property sheet for that resource.
`
`Petitioner RPX Corporation - Ex. 1020, p. 11
`
`

`

`364
`
`Microsoft Windows 98 Resource Kit
`
`Joe’s password is stored on his computer’s PWL file to be used for authentication
`when he accesses that resource again. He will not be prompted for the password
`again during that session. When he logs off, the computer will erase his password
`from the file.
`
`Setting Up Security for Shared Resources
`Before a user can share a resource on a computer running Windows 98, the
`computer must be configured for share—level or user—level security, and file
`and printer sharing services must be installed by using the Network option in
`Control Panel. Configuring share-level or user-level securityfiis described
`briefly in the following sections, and in Chapter 18, “Logon, Browsing, and
`Resource Sharing.”
`
`Note Share-level security is not available on NetWare networks.
`
`> To set up share-level'security
`1. Install File and Printer Sharing for Microsoft Networks, as desci‘ibed in the
`“Installing Peer Resource Sharing” section of Chapter 18, “Logon, Browsing,
`and Resource Sharing.”
`
`2. On the computer that hosts the resource to be shared, in Control Panel, double-
`click Network, and then click the Access Control tab.
`
`3. Click Share-level access control, and then click OK.
`
`.
`
`> To set up user-level security on a Microsoft network
`
`1. Install File and Printer Sharing for Microsoft Networks, as described in the
`“Installing Peer Resource Sharing” section of Chapter 18, “Logon, Browsing,
`and Resource Sharing.”
`
`2. In Control Panel, double—click Network, and then click the Access Control
`tab.
`
`3. Click User-level access control.
`
`4. In the User-level access control box, type the name of the Windows NT
`domain or Windows NT workstation where the user accounts reside.
`
`5. Click OK.
`
`> To set up user-level security on a NetWare network .
`1. Install File and Printer Sharing for NetWare Networks, as described in the
`“Installing Peer Resource Sharing” section of Chapter 18, “Logon, Browsing,
`and Resource Sharing.”
`
`2. In Control Panel, double-click Network, and then click the Access Control
`tab.
`
`Petitioner RPX Corporation - Ex. 1020, p. 12
`
`

`

`
`
`Chapter 9 Security 365
`
`3. Click User-level access control.
`
`4. In the User-level access control box, type the name of the NetWare server.
`5. Click OK.
`
`For information about specifying values for security in custom setup scripts, see
`Appendix D, “Msbatchinf Parameters for Setup Scripts.” For information about
`using System Policy Editor to set user-level security and other security options,
`see Chapter 8, “System Policies.”
`
`, Using Share-Level Security
`You can restrict access to resources such as a shared folder or a printer by either
`defining it as read-only or assigning a password to it.
`
`To share a folder or printer with shareulevel security
`
`1. In Windows Explorer, right-click the folder or printer to he shared, and then
`click Properties.
`,
`
`2. In the Properties menu, click the Sharing tab.
`
`3. Click Shared As, and type the resource’s share name.
`
`The shared resource name will be the computer name plus the share name. For
`example, in the following screen shot, if the computer name is mycomputer,
`this shared resource is \hnycomputerunydocuments.
`
`
`
`Petitioner RPX Corporation - Ex. 1020, p. 13
`
`

`

`366
`
`Microsoft Windows 98 Resource Kit
`
`4. Specify whether you want users to have read-only or full access to this
`resource.
`
`Note There is no read-only share-level access for a printer or remote
`administration.
`
`5. Type the password for the specified access, and click OK.
`
`
`Tip You can share a folder but hide it from the Network Neighborhood browsing
`list by adding a dollar sign ($) to the end of its share name (for example,
`PRIVATE$).
`
`Using User-Level Security
`Windows 98 uses the logon process to provide user-level security for a variety of
`services beyond network resource access, including the following services that are
`remotely accessible:
`.
`- File and printer sharing.
`
`1
`
`- Dial—up network access gateway control.
`
`- Backup.
`
`- Network and system management.
`
`Pass-through security is implemented in Windows 98 as the mechanism to
`enable user—level security. Pass-through literally means that Windows 98
`passes authentication requests through to a Windows NT or NetWare server.
`Windows 98 does not implement its own unique user-level security mechanism
`but instead uses the services of an existing server on the network.
`
`Enabling pass—through security is a two—step process. First, user-level security
`must be enabled using the Control Panel. Second, the device must be shared,
`and users with access privileges must be specified. Right-clicking the drive C
`icon in My Computer and selecting Properties from the Shortcut menu displays
`a property sheet that shows which shares already exist and which users haVe
`access. It also allows new devices to be shared and new users to be added to
`
`specific shares. The Windows NT server or the NetWare bindery supplies the
`user names listed in this property sheet.
`
`For more information about file and printer sharing, see Chapter 18, “Logon,
`Browsing, and Resource Sharing.”
`
`Petitioner RPX Corporation - Ex. 1020, p. 14
`
`

`

`
`
`Chapter 9 Security 367
`
`The Remote Administration function of a Windows 98 personal computer
`specifies the users or groups who have authority to manage the Windows 98
`system, including the following:
`
`. Dial—up network access gateway control.
`
`I Backup.
`
`- Remote access to the registry.
`- Remote NetWatcher access.
`
`I Remote system performance monitoring.
`
`Remote Administration is controlled through the Passwords option in Control
`Panel. For more information about Remote Administration, see Chapter 23,
`“System and Remote Administration Tools.”
`
`For each network resource governed by user-level security, there is a list of users
`and groups that can access that resource.
`
`> To share a resource with user-level security
`
`1.
`
`In Windows Explorer or My Computer, right-click the icon for the resource to
`be shared, and then click Properties.
`2. In the Properties menu, click the Sharing tab.
`3. Click Add.
`
`4.
`
`In the Add Users dialog box, click a user or group, and then assign access
`rights as described in the following paragraphs.
`
`Assign, for each user, a set of rights for the resource. The kinds of fights that
`you assign depend on the kind of resource you are securing:
`
`- For shared directories, you can let a user have read-only access, full access,
`or custom access. Within custom access, you can grant the user any or all
`of the following rights: read, write, create, list, delete, change file
`attributes, and change access rights.
`
`- For shared printers, a user either has the right to access the printer or not.
`
`-
`
`- For remote administration, a user either has the right to be an administrator
`' or not as defined in the Passwords option in Control Panel.
`Permissions are enforced for a resource as follows:
`
`I
`
`-
`
`!
`
`If the user has explicit rights to the resource, those rights are enforced.
`
`If the user does not have explicit rights to the resource, the permissions
`are determined by taking all of the rights of each group to which the uSer
`belongs.
`
`If none of the groups to which the user belongs has any rights to that
`resource, the user is not granted access to the resource.
`
`Petitioner RPX Corporation - Ex. 1020, p. 15
`
`

`

`
`
`368 Microsoft Windows 98 FlesourceKlt
`
`When you do not explicitly assign access fights to a file or folder, Windows 98
`uses implied rights. Implied rights are those assigned to the nearest parent folder
`of a file or folder. If none of the parent folders (up to and ihcluding the root
`directory of the drive) have explicit rights, no access is allowed.
`
`
`Note Implied fights are displayed automatically on the property sheet for the
`shared file or folder.
`
`Specifying Folder Access Rights in User-Level Security
`Access rights specify what a user can do in a folder protected by user-level
`security. The access rights you define for a folder apply to all of its subfolders.
`You cannot, however, assign access rights to individual files in Windows 98.
`(Both Windows NT and NetWare let you assign access-rights to files.)
`
`
`Note Any subfolders of the shared folder, if they are also shared, must be set with
`the same level of security as the parent folder.
`
`For each folder, you can assign read-only, full, or custom access. Custom access
`lets you further specify exactly what each,_user or group can do in the folder, as
`specified in Table 9.1.
`
`Table 9.1 Custom access options
` File operation Required permissions
`
`Read from a closed file
`Read files
`
`See a file name
`
`Search a folder for files
`
`List files
`
`List files
`
`Write to a closed file
`
`Write, create, delete, change file attributes
`
`Run an executable file
`
`Read, list files
`
`Create and write to a file
`
`Create files
`
`Copy files from a folder
`
`Read, list files
`
`Copy files to a folder
`Make a new folder
`
`Delete a file
`
`Remove a folder
`
`Write, create, list files
`Create files
`
`Delete files
`
`Delete files
`
`Change folder or file attributes
`
`Change file attributes
`
`Rename a file or folder
`
`Change file attributes
`
`Change access rights
`
`Change access control
`
`Petitioner RPX Corporation - Ex. 1020, p. 16
`
`

`

`
`
`Chapter 9 Security 369
`
`> To define custom access
`
`1. Open the Add Users dialog box in a shared resuurce’s properties (described
`in the procedure, “To share a resource with user-level security” earlier in this
`chapter).
`
`2. In the Add Users dialog box, click a user or group, click Custom, and then
`click OK.
`
`3.
`
`In the Add Users dialog box, click a user or group from the Name list, and
`then click Custom.
`
`4. In the Change Access Rights dialog box, click the type of rights the user or
`group of users may have in the folder, and then click OK.
`
`5. To remove a user or group of users, click that user or group, and then click
`Remove.
`
`6. To edit the access rights for a user or group of users, click that user or group,
`and then click Edit.
`
`Managing User Lists
`Windows 98 user-level security depends on a list of accounts and groups located
`on a security provider. You cannot add or remove users and groups from the
`security provider list by using Windows 98 tools. However, you can do this by
`running User Manager for a Windows NT domain, SYSCON for NetWare 3.x,
`and NETADMIN for NetWare 4.x in a NetWare bindery environment. You can
`use these tools on a computer running Windows 98. These tools are provided by
`the respective vendors and not by Windows 98. Under Windows 98, you specify
`what rights users have to specific resources on the local computer as described in
`“Using Share—Level Security" earlier in this chapter. For more information about
`changing a user’s access rights, see “Specifying Folder Access Rights in User—
`Level Security” earlier in this chapter.
`
`Note Although Windows NT networks allow multiple domains, a computer
`running'Windows 98 can specify only one domain for user—level security.
`However, youcan set pennissions for users or groups from any domain in the
`Sharing properties for the shared resource, as long as the two domains have a
`proper trust relationship. Also, rights may include user accounts from different
`trusted domains. To use a trust relationship to access multiple domains, you
`should consult the Microsof