You need to determine the type of exposure or risk you potentially have, and develop a security policy that reflects this level of risk. On the basis of that analysis, choose products, network technology, and business practices for the installation, integration, and management of your system.
Before you integrate Windows 98 security into your network security model, consider the following issues:
What kind of logon security do you need?
Do you allow users to log on to Windows 98 and the network with the same password? Do you want to require alphanumeric or minimum-length passwords for the Windows 98 logon password? Do you want to require that users be validated by the network security provider before being able to log on to Windows 98? For both Windows NT and NetWare networks, you can use system policies to require validation by a Windows NT or NetWare server before allowing access to Windows 98 and to specify other Windows 98 password restrictions.
What kind of resource protection do you need on Microsoft networks?
If you enable peer resource sharing, you must decide how to protect those resources with share-level or user-level security. User-level security provides greater security because the network security provider must authenticate the user name and password before access to the resource is granted. Share-level security is not available for NetWare networks.
For more information about NetWare networks, see Chapter 17, "Windows 98 on Third-Party Networks."
What kinds of access rights will users have to resources protected by user-level security?
You can specify the types of rights users or groups of users have to resources by setting Sharing properties for the shared resource (such as a folder or drive). For example, you can restrict other users to read-only access to files or give them read-access and write-access to files.
How do you want to enable user-level security?
You can enable security in a setup script or in system policies. If you enable user-level security in either a setup script or Control Panel, remote administration is enabled by default for domain administrators on a Windows NT network and for supervisors on a NetWare network.
Should password caching be allowed?
You can use system policies to disable password caching and thus require users to type a password each time they access a password-protected resource.
Should users be able to change Control Panel settings?
You can use system policies to restrict users’ ability to change the configuration of system components, their desktops, applications, or network connections in the Control Panel folder.
Does a particular hard disk need extra protection?
Windows 98 security obstructs hacking over the network; but if a person has physical access to the computer, critical data could still be taken from the hard disk where it resides by using Safe Mode or a floppy disk to start the workstation. If specific data requires greater levels of security, you should store critical files on a secure server. If computers require greater levels of security, Windows NT Workstation is recommended, because it provides a means to protect resources on a hard disk based on a user’s identity.
Are there applications that should not be run?
You may need to restrict access to some applications while supplying access to other applications in your system. To implement this type of security, use system policies. You can also restrict access to parts of an application by using DCOM.
Do certain processes of an application need protection?
If security is required for a distributed application — that is, one whose component processes are distributed over more than one computer in the network — use DCOM. DCOM provides the structure to share applications at the component level between a server and clients. The components can be shared over the Internet or an intranet. Using DCOM to set a security level for the application automatically applies that security level to each component, wherever located.
Should Internet or intranet access be limited?
You may need to limit access to certain sites on the Internet and on your intranet. To implement this type of security, use Internet Explorer security features.