Computer security refers to the protection of all components—hardware, software, and stored data—of a computer or a group of computers from damage, theft, or unauthorized use. A computer security plan that is well thought out, implemented, and monitored makes authorized computer use easy and unauthorized use or accidental damage difficult or impossible.
Personal computing depends increasingly on computers connected through networks, and more often through the Internet and intranets. You can use Windows 98 security to prevent unauthorized access to shared resources on computers in a network. The security features built into Windows 98 are described briefly in this section, and in more detail later in the chapter.
Windows 98 allows users to log on fully. In a networking environment, you can set your system up so that when a name and password pair have been validated against the security authority of a network server, the Windows 98 user interface is displayed.
A user can log on to all networks and Windows 98 at the same time. If a user’s password for Windows 98 or for another network is the same as the password for the primary logon client, Windows 98 automatically logs the user on to Windows 98 and all networks using that password.
Note
A unified password prompt does not enhance security, but eases logging on to the system. As the system administrator, you can require additional passwords for a more secure system.
For more information about the logon prompt, see "Using the Windows 98 Logon Password" later in this chapter. Once users log on to their machines, they have the option to cache their passwords. These passwords are cached in a file with a .pwl extension. The file name is the same as the user’s name. See "Password Caching" later in this chapter.
With system policies, you can prevent users from logging on to Windows 98 if their Windows NT or Novell NetWare network logon is not validated. This causes the network logon dialog to appear before, or instead of, the Windows 98 logon prompt. Also, the user list may not be network wide, but specific to a server, and may be different for different servers.
For more information about logon security, see "Network Security" later in this chapter. For more information about system policies, see "Using System Policies to Enforce Password Security" later in this chapter, and Chapter 8, "System Policies."
When a computer is running Windows 98 with file and printer sharing services, other users can connect to shared printers, volumes, directories, and CD-ROM drives on that computer. To protect these shared resources, Windows 98 provides user-level and share-level security.
With user-level security, a user’s request to access a shared resource is passed through to a security provider, such as a Windows NT or NetWare server. The security provider grants or denies the request by checking the requestor’s user name and password against a network-wide or server-wide stored list. User-level security does not require file and printer sharing services. These accounts must be created on the machine providing user-level authentication, such as a Windows NT or NetWare server. Windows 98 cannot act as an authentication server for user-level security.
This type of security allows fine-grained control over per-user access and allows individual accountability. The disadvantages are that you must create a user account for each user you want to grant access to, and you must grant that user the access.
With share-level security, users assign passwords to their shared resources. Any user who can provide the correct password is permitted to access the shared resource. The password is stored and checked by the computer where the resource resides. Share-level security requires file and printer sharing services.
Note
Any subfolders of the shared folder, if they are also shared, must be set with the same level of security as the parent folder.
The advantage of this type of security paradigm is that it allows granting access to a broad range of people with very little effort. However, it is not as secure as user-level security, because the password is widely distributed and there is no notion of personal accountability.
Note
You cannot use share-level security on NetWare networks, because the File and Printer Sharing for NetWare Networks utility does not support passwords. You can limit access, however, by defining a resource as read-only.
In addition to setting up passwords for security, Windows 98 also provides password caching, Password List Editor, and system policies.
Like unified logon, password caching provides a convenient and secure way to access protected resources. The first time a user connects to the resources and saves the password, Windows 98 caches the password in a PWL file. Whenever the user logs on again, the logon password unlocks the PWL file and the resource passwords it contains, and the user then has free access to those resources. If password caching is disabled, users must type the password each time they connect to a password-protected resource.
Password List Editor lets you view resources on a password list. It also lets a user view or edit his or her own password file (PWL). You may then delete a password (you cannot view the actual password) so that it can be replaced.
System policies let you enforce a password policy with some or all of these restrictions:
You can also define system policies that prevent users from enabling peer resource sharing services and that enforce other security techniques, such as preventing users from configuring system components.
For more information, see "Using System Policies to Enforce Password Security" later in this chapter, and Chapter 8, "System Policies."
The Internet is an effective way to communicate and share information with others, but with its use comes a greater need for security. The following security features make it easier for you to protect your computer and your privacy when using the Internet.
Internet Explorer 4.0 has new security options that let you configure a security level to a specific Web site according to how much you trust the content of that Web site. Four security zones are set up in Internet Explorer 4.0. They are:
Outlook Express includes tools to protect you from fraud, ensure your privacy, and prevent unauthorized access to your computer. These tools enable you to send and receive secure e-mail messages and to control potentially harmful e-mail messages through security zones.
A distributed application consists of multiple processes that cooperate to accomplish a single task. The Distributed Component Object Model (DCOM) can be used to integrate distributed applications in a network, thus allowing specified users to have access to certain processes.
A firewall enforces a boundary between networks. The boundary prevents unauthorized access of private networks by preventing the passage of packets between networks.