Previous | Contents | Index |
The following example shows how to set the account policy for the domain so that users are disconnected when they exceed their logon hours (/FORCE_DISCONNECT), and they are locked out after three failed logon attemps. The failed logon count resets 20 minutes after the last failed login attempt, and locked-out accounts are unlocked after 25 minutes.
LANDOFOZ\\TINMAN> SET ACCOUNT POLICY/FORCE_DISCONNECT - _LANDOFOZ\\TINMAN> /LOCKOUT=(ATTEMPTS=3,WINDOW=20,DURATION=25) %PWRK-S-ACCPOLSET, account policy set for domain "LANDOFOZ" |
The following example shows how to use the SHOW ACCOUNT POLICY command to display the account policy for a domain:
LANDOFOZ\\TINMAN> SHOW ACCOUNT POLICY Account Policy for domain "LANDOFOZ": Minimum password age (days) : 1 Maximum password age (days) : 42 Minimum password length : 0 Length of password history maintained : None Force user logoff after logon hours expire: YES Lock out account after how many bad password attempts : 3 Number of minutes account remains locked : 20 Number of minutes to wait before resetting lockout count : 25 Role of server TINMAN : Primary Domain Controller |
You specify the audit policy using the SET AUDIT POLICY command. When auditing is enabled, the server records selected security-related activities in the Security event log. The server can record systemwide events, such as a user logging on, and file-specific events, such as a user attempting to access a specific file. You display the audit policy using the SHOW AUDIT POLICY command.
The audit policy affects Security event logging for all servers in the domain, because they share the same audit policy. You can specify whether to log failed events and successful events. See Table 2-3 for a list of the events that you can audit. Note that to audit events pertaining to files or directories (ACCESS events), you must also set auditing on the files or directories. For more information, see Section 6.1.3.6, Setting and Displaying Security Event Auditing for Files and Directories.
Audit Event Name | Events Audited |
---|---|
ACCESS |
- A user accessing a directory or file that is set for auditing (SET
FILE/AUDIT=)
- A user sending a print job to a printer that is set for auditing |
ACCOUNT_MANAGEMENT |
- Creating, changing, or deleting a user account or group
- Renaming, disabling, or enabling a user account - Setting or changing a password |
LOGONOFF |
- A user logging on or logging off
- A user making a network connection |
POLICY_CHANGE |
- Changing the audit policy
- Changing a trust relationship - Changing user rights policies |
PROCESS |
- Program activation
- Handling duplication - Indirect object access - Process exit |
SYSTEM |
- A user starting or restarting a server
- A system security event - An event that affects the security log |
USER_RIGHTS | - A user exercised a user right such as accessing a file, except for logon/logoff rights |
The following example shows how to display the audit policy for a domain:
LANDOFOZ\\TINMAN> SHOW AUDIT POLICY |
Audit Policy for domain "LANDOFOZ": Auditing is currently Disabled. Audit Event states: Audit Event Success Failure ------------------- -------- -------- ACCESS Disabled Disabled ACCOUNT_MANAGEMENT Disabled Disabled LOGONOFF Disabled Disabled POLICY_CHANGE Disabled Disabled PROCESS Disabled Disabled SYSTEM Disabled Disabled USER_RIGHTS Disabled Disabled LANDOFOZ\\TINMAN> |
The following example shows how to enable auditing and set the audit policy for a domain, using the SET AUDIT POLICY/AUDIT command. In this example, the /SUCCESS=LOGONOFF qualifier enables auditing of successful logon and logoff operations.
LANDOFOZ\\TINMAN> SET AUDIT POLICY/AUDIT/SUCCESS=LOGONOFF %PWRK-S-AUDPOLSET, audit policy set for domain "LANDOFOZ" LANDOFOZ\\TINMAN> SHOW AUDIT POLICY Audit Policy for domain "LANDOFOZ": Auditing is currently Enabled. Audit Event states: Audit Event Success Failure ------------------ -------- -------- ACCESS Disabled Disabled ACCOUNT_MANAGEMENT Disabled Disabled LOGONOFF Enabled Disabled POLICY_CHANGE Disabled Disabled PROCESS Disabled Disabled SYSTEM Disabled Disabled USER_RIGHTS Disabled Disabled LANDOFOZ\\TINMAN> |
To enable auditing of all events, use the following command:
SET AUDIT POLICY/AUDIT/SUCCESS=ALL/FAILURE=ALL
2.3 Managing a Server
When you manage a server, you can display server information, send
messages to users, and start and stop services.
2.3.1 Displaying Server Information
You can display information about the server including connections,
user sessions, shared resources, and the software version number.
2.3.1.1 Displaying Connections
As you manage your server, you may need to know which connections are active. A connection is a virtual link between a workstation or a server process and a shared resource on a server.
To display existing connections, use the SHOW CONNECTIONS command. The SHOW CONNECTIONS command displays information about active connections to the server, including connections from the Advanced Server. The information about each connection includes:
The following example displays information about all the connections to the server currently being administered (TINMAN).
LANDOFOZ\\TINMAN> SHOW CONNECTIONS Connections on server "TINMAN": User name Computer name Share name Opens Time -------------------- --------------- ----------------- -------- ADMINISTRATOR TINMAN_176 IPC$ 3 0 11:30 SCARECROW TINMAN_149 ADMIN$ 0 0 00:00 SCARECROW TINMAN_149 IPC$ 0 0 00:00 SCARECROW TINMAN_149 IPC$ 1 0 00:00 SCARECROW TINMAN_149 RAINBOW 0 0 06:14 Total of 5 connections |
As you manage your server, you may need to know which sessions are active. A session is a link between a workstation and a server. Multiple share connections can be established over a single session.
To display user sessions, use the SHOW SESSIONS command. You can include the /SERVER qualifier to display sessions on a specific server. The display includes:
For example:
LANDOFOZ\\TINMAN> SHOW SESSIONS/SERVER=WOODMAN User sessions on server "WOODMAN": Connected Users Computer Opens Time Idle Guest ------------------ --------- ----- ------- ------- ----- ADMINISTRATOR TINMAN 1 1 22:54 0 00:00 No SCARECROW DOROTHY 3 0 03:48 0 00:03 No Total of 2 connected users LANDOFOZ\\TINMAN> |
The Advanced Server allows you to display information about shared resources. You can display information about the share permissions and the OpenVMS protections on them, as well as the maximum number of connections to the share allowed at one time. You can specify the display of only the active shares (those currently connected to) or by the type of share (printers or directories).
To see shared resources from the current server, use the SHOW SHARES command. This command displays:
Specify the share name to display information about only one share. Use the /FULL qualifier to display detailed information about each share.
For example, the following command displays the shares on the server currently being administered (TINMAN):
LANDOFOZ\\TINMAN> SHOW SHARES Shared resources on Server "TINMAN": Name Type Description --------- --------- ---------------------------------- NETLOGON Directory Logon Scripts Directory RAINBOW Directory Local Oz Share PWLIC Directory PATHWORKS Client License Sftwr PWLICENSE Directory PATHWORKS Client License Sftwr PWUTIL Directory Adv. Srv. Client-based Utilities USERS Directory Users Directory Total of 6 shares LANDOFOZ\\TINMAN> |
To display hidden shares (shares whose name ends in a dollar sign ($), such as administrative resources and local device shares (such as C$)), you must include the /HIDDEN qualifier or specify the share name. For example, the following command displays the local device share C$:
LANDOFOZ\\TINMAN> SHOW SHARES C$ Shared resources on Server "TINMAN": Name Type Description ------------ --------- ---------------------------------------- C$ Directory PATHWORKS share Total of 1 share |
2.3.1.4 Displaying the Advanced Server Version Number
You can verify the version number of Advanced Server software. To display
the version number of server software on your system,
use the SHOW VERSION command. For example:
LANDOFOZ\TINMAN> SHOW VERSION PATHWORKS V6.1 for OpenVMS (Advanced Server) LANDOFOZ\\TINMAN> |
This command is valid for PATHWORKS for OpenVMS (Advanced Server) and Advanced Server for OpenVMS servers only.
2.3.2 Stopping the Advanced Server
You can stop the Advanced Server at any time for any reason, which can include the following:
To stop the Advanced Server, enter the following command:
$ @SYS$STARTUP:PWRK$SHUTDOWN Shutting down the currently running server(s)... |
For a cluster server, enter:
$ @SYS$STARTUP:PWRK$SHUTDOWN CLUSTER |
To stop the Advanced Server as part of an orderly system shutdown, add
the shutdown command to the site-specific system shutdown procedure. In
addition, prior to shutting down the server, announce the planned
shutdown to connected users by using the ADMINISTER SEND/USERS command,
as described in Section 2.3.3, Sending Messages to Users.
2.3.3 Sending Messages to Users
You should send messages to users before you change the operating characteristics of a server. For example, you might send a message before disconnecting users or if you need to stop sharing a resource on a computer. For a message to be sent and received, the Alerter service must be running on the computer sending the message, and the Messenger service must be running on the computer receiving the message.
The Messenger service is not supported on the Advanced Server. Therefore, OpenVMS users on Advanced Servers will not receive messages sent this way. |
To send a message to the user of a specific computer, follow these steps:
For example, the following command sends the message "Shutdown at 1 pm today!!!" to the computer called WORTHY.
LANDOFOZ\\TINMAN> SEND WORTHY "Shutdown at 1pm today!!!" LANDOFOZ\\TINMAN> |
The message is displayed in a Messenger Service pop-up window on computer WORTHY in the following form:
Message from TINMAN to WORTHY on 4/30/01 11:20 AM "Shutdown at 1pm today!!!" |
With the /SERVER=servername qualifier, you can send a message from
another specified server in your domain to a specific group of users in
your domain. With the /USER qualifier, you can send a message to all or
specific users on a server.
2.3.3.2 Sending a Message to Users on a Specific Server
To send a message to users connected to a specific server, use the /SERVER qualifier. For example, the following command sends the message "Shutdown at 1pm today!!!" to all users connected to server WOODMAN.
LANDOFOZ\\TINMAN> SEND/USERS/SERVER=WOODMAN "Shutdown at 1pm today!!!" LANDOFOZ\\TINMAN> |
This command may take a few minutes to complete.
2.3.4 Managing Services
To manage Advanced Server services, you need to know how to start and stop services and how to configure service startup. Services are set up during server installation and configuration.
You can start and stop some of the services available on the computer and determine whether a service will start up automatically when the system starts. You must be logged on to a user account that has membership in the Administrators group or the Server Operators group to perform these operations. Table 2-4, Network Services on the Advanced Server, shows the default services provided with Advanced Server.
Service | Description | Supported on Advanced Servers | Starts by Default | Can Be Paused | Can Be Stopped |
---|---|---|---|---|---|
Alerter | Notifies selected users and computers of administrative alerts that occur on this server. Used by the server and other services. | Yes | Yes | No | Yes |
Browser | Lists network entities, such as domains, computers, and shared resources. | Yes | Yes | No | Yes |
EventLog | Records system, security, and application events in the event logs, and enables remote access to those logs. Cannot be stopped separately; stops together with the Server service. | Yes | Yes | No | No |
NetLogon | Verifies the user name and password of each user who attempts to log on to the network or gain access to the server. Synchronizes security databases. | Yes | Yes | Yes | Yes |
Server | Provides file and print sharing. | Yes | Yes | Yes | No 1 |
TimeSource | Identifies a server as the time server for a domain. Other computers synchronize their clocks with the time server. | Yes | No | No | Yes |
Replicator | Replicates user directories and files. | No | No | No | No |
Messenger | Allows receipt of server management messages | No | No | No | No |
The Replicator and Messenger services are supported on Windows NT and can be stopped and started, but not paused, from the Advanced Server.
The Alerter, NetLogon, and TimeSource services can be enabled and disabled by adding them to the list of services associated with the SrvServices server configuration parameter stored in the LANMAN.INI file, as described in Section 7.3, Using the LANMAN.INI File. When a service is enabled, it is started automatically when the Advanced Server starts.
For smooth operation of the domain, Compaq recommends that the NetLogon service always be enabled, even on member servers. |
As you manage your server, you may need to know the state of network services.
To display available services, use the SHOW SERVICES command. For example:
LANDOFOZ\\TINMAN> SHOW SERVICES Services on server "TINMAN": Service Current State -------------- --------------- ALERTER Started BROWSER Started EVENTLOG Started NETLOGON Started SERVER Started TIMESOURCE Started Total of 6 services LANDOFOZ\\TINMAN> |
By default, the Server, Alerter, Browser, and NetLogon services are started automatically when the server is started.
To start a service, use the START SERVICE command, specifying the full service name. For example:
LANDOFOZ\\TINMAN> START SERVICE TIMESOURCE %PWRK-S-SVCSTART, service "TIMESOURCE" started on server "TINMAN" LANDOFOZ\\TINMAN> |
You can suspend execution of the Server and NetLogon services. Unlike stopping a service, pausing does not cancel resource sharing, terminate connections or change any settings associated with the service.
Pausing the Server service prevents users from making new connections to the server's shared resources; however, users who have already connected to shared resources can continue to use the resources. Pausing the Server service does not prevent users who are members of the Administrators group from connecting to the service.
Pausing the NetLogon service prevents the server from synchronizing the domain's security accounts database. The server will not validate logons.
To pause a service, use the PAUSE SERVICE command. For example:
LANDOFOZ\\TINMAN> PAUSE SERVICE SERVER Do you really want to pause service "SERVER" [YES or NO](YES): YES %PWRK-S-SVCPAUSE, service "SERVER" paused on server "TINMAN" LANDOFOZ\\TINMAN> |
You can use the CONTINUE SERVICE command to continue a paused service. When you continue a service, you restore access to the service.
To continue a service, use the CONTINUE SERVICE command. For example:
LANDOFOZ\\TINMAN> CONTINUE SERVICE SERVER %PWRK-S-SVCCONT, service "SERVER" continued on server "TINMAN" LANDOFOZ\\TINMAN> |
Stopping a service disables all operations provided by that service. You can use ADMINISTER commands to stop the following services:
To stop the Server service, use the PWRK$SHUTDOWN.COM command procedure, as described in Section 2.3.2, Stopping the Advanced Server. Before you stop the Server service, you should follow these steps:
To stop a service, use the STOP SERVICE command. For example:
LANDOFOZ\\TINMAN> STOP SERVICE TIMESOURCE Do you really want to stop service "TIMESOURCE" [YES or NO] (YES): YES %PWRK-S-SVCSTOP, service "TIMESOURCE" stopped on server "TINMAN" LANDOFOZ\\TINMAN> |
Previous | Next | Contents | Index |