Re: [WinMac] Clarification of RE: JetDirect names change: Mac
Bruce Johnson(johnson[at]Pharmacy.Arizona.EDU)
Wed, 19 May 1999 13:49:14 -0500
WinMac Digest #316 - Wednesday, May 19, 1999
Re: [WinMac] unix/ nt security diffs?
by <CHoogendyk@aol.com>
Re: [WinMac] unix/ nt security diffs?
by <bartosh@apple.tamu.edu>
GPF Booting NT?
by "weesh" <weesh@mindspring.com>
OT: Scam Alert: Call Costs You...
by "Daniel L. Schwartz" <expresso@snip.net>
Re: unix/ nt security diffs?
by "Daniel L. Schwartz" <expresso@snip.net>
Re: [WinMac] Clarification of RE: JetDirect names change: Macprinting
by <CHoogendyk@aol.com>
RE: [WinMac] Clarification of RE: JetDirect names change: Mac pri nting
by <PetersJB@nswccd.navy.mil>
[Fwd: Re: [WinMac] unix/ nt security diffs?]
by "Chris Hoogendyk" <choogendyk@aol.com>
Re: [WinMac] GPF Booting NT?
by "Daniel L. Schwartz" <expresso@snip.net>
MacServerIP Performance
by "Josh Lampl" <sunergy@electriciti.com>
Re: [WinMac] Clarification of RE: JetDirect names change: Mac pri ntin
by "Bruce Johnson" <johnson@Pharmacy.Arizona.EDU>
Subject: Re: [WinMac] unix/ nt security diffs?
From: CHoogendyk@aol.com
Date: Tue, 18 May 1999 21:58:39 EDT
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
In a message dated 5/17/99 1:34:07 PM, bartosh@apple.tamu.edu writes:
>I am looking for a web page or something detailing differences
>between the unix security model and NT's.
>
>One of my jobs is helping a Department here plan and integrate OS's
>into the resource/support strategy, and a minor research group has
>decided they want to use nt.
Are you looking for user access or security?
If you have the latest NT and the latest Unix, the access controls on a file
might be fairly similar. But that just scratches the surface of security
issues. You could take a 5 day (40 hour) course on either Unix or NT security
and it would just be a primer. Since I'm at home and not at work, I don't
have my bookmarks, but there is an excellent site at purdue that is a focal
point for security issues. You can jump off from there to a large number of
other interesting sites. They will point you to virus sites, hacker sites,
software sites for third party security, etc.
If you look at Unix, you can start with controlling who can access what
files. Then you can look at authentication issues, protecting root access,
password quality, shadow password files, secure socket layer, encryption,
closing off back doors, .... (I have a 2.5" thick book on Unix and Network
Security.
If you look at NT, similar story but all the details are different. To really
secure an NT workstation, you have to get into all kinds of registry edits or
third party security software. My gut sense is that a Unix system is easier
to really secure than an NT system.
Just as an example, our public NT workstations in the university library seem
to get hacked fairly regularly in spite of man months of work spent on trying
to develop a secure system. We end up simply re-Ghosting a station when it
gets messed up. (Ghost [now owned by Symantec/Norton] basically reformats the
drive and copies a disk image over the network, then adjusts the SIDs, IPs,
etc.)
Well, I feel like I'm ranting on without really knowing what you are after.
If you could ask some more specific, pointed questions based on what I have
said already, I might try again -- or someone else will chime in.
Chris Hoogendyk
Network Specialist
UMass Library, Amherst
Managing Novell, NT and Unix servers from my desktop Macintosh G3.
Subject: Re: [WinMac] unix/ nt security diffs?
From: <bartosh@apple.tamu.edu>
Date: Tue, 18 May 1999 23:58:53 -0500 (CDT)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Tue, 18 May 1999 CHoogendyk@aol.com wrote:
>
> In a message dated 5/17/99 1:34:07 PM, bartosh@apple.tamu.edu writes:
>
> >I am looking for a web page or something detailing differences
> >between the unix security model and NT's.
> >
> >One of my jobs is helping a Department here plan and integrate OS's
> >into the resource/support strategy, and a minor research group has
> >decided they want to use nt.
>
> Are you looking for user access or security?
User access.
>
> If you have the latest NT and the latest Unix, the access controls on a file
> might be fairly similar. But that just scratches the surface of security
> issues. You could take a 5 day (40 hour) course on either Unix or NT security
> and it would just be a primer. Since I'm at home and not at work, I don't
> have my bookmarks, but there is an excellent site at purdue that is a focal
> point for security issues. You can jump off from there to a large number of
> other interesting sites. They will point you to virus sites, hacker sites,
> software sites for third party security, etc.
>
Fairly familiar with Uni*, but is seems like nt's model (from reading) has
all the security based on directories... ie you can list, write to, modify
members, or read members, etc, instead of Uni* where you have rwx on the
directory and every file.
The concept of groups seems slightly more signifigant in nt than in unix,
and nt's whole file permission model, from what I am reading in the
O'Riley annoyances book, seems sort of silly and a lot less flexible.
The only things I have ever gone in depth on with nt though are SFM and
printing, so I wanted to get some first hand feed back before I go into a
testing situation around the first of June.
> If you look at Unix, you can start with controlling who can access what
> files. Then you can look at authentication issues, protecting root access,
> password quality, shadow password files, secure socket layer, encryption,
> closing off back doors, .... (I have a 2.5" thick book on Unix and Network
> Security.
>
> If you look at NT, similar story but all the details are different. To really
> secure an NT workstation, you have to get into all kinds of registry edits or
> third party security software. My gut sense is that a Unix system is easier
> to really secure than an NT system.
Mine as well, but like I said I am asking for opinions of those more
versed than I before I begin testing.
>
> Just as an example, our public NT workstations in the university library seem
> to get hacked fairly regularly in spite of man months of work spent on trying
> to develop a secure system. We end up simply re-Ghosting a station when it
> gets messed up. (Ghost [now owned by Symantec/Norton] basically reformats the
> drive and copies a disk image over the network, then adjusts the SIDs, IPs,
> etc.)
>
> Well, I feel like I'm ranting on without really knowing what you are after.
>
> If you could ask some more specific, pointed questions based on what I have
> said already, I might try again -- or someone else will chime in.
Basicly am interested in basic permissions model- is what I have stated
above correct?
>
> Chris Hoogendyk
> Network Specialist
> UMass Library, Amherst
>
> Managing Novell, NT and Unix servers from my desktop Macintosh G3.
>
> * Windows-MacOS Cooperation List *
>
>
>
Subject: GPF Booting NT?
From: weesh <weesh@mindspring.com>
Date: Wed, 19 May 1999 08:25:45 -0500
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
I just restarted my NT Server machine and it's crashing with a GPF. Can
some kind soul tell me how to boot and fix this type of problem? I cant
find my erd disks anywhere either......
->Ken
- --
Ken Wieschhoff
Siren Enterprises
(770)813-0231
ICQ 30757206
***************************
Subject: OT: Scam Alert: Call Costs You...
From: "Daniel L. Schwartz" <expresso@snip.net>
Date: Wed, 19 May 1999 08:25:56 -0500
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Click on the link to read about a new scam. This one took even me by
surprise; and it seems to be hitting AOL users by storm. The key is the 767
"area code."
http://www.zdnet.com/anchordesk/story/story_3405.html
Surf safely,
Dan
Subject: Re: unix/ nt security diffs?
From: "Daniel L. Schwartz" <expresso@snip.net>
Date: Wed, 19 May 1999 08:26:39 -0500
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Several questions to consider when setting up user security:
1) Are these machines truly "public," or are they "semi-private," in an
office setting where only a few users (like a research group) will have
access to it?
2) When Chris talked about "being hacked into" does this mean that the
"hacking" was malicious or just plain stupidity? :)
Combining these 2 principles, this past weekend I gave a
friend of mine a
PPro for her home with NT4/SP5. She has 4 local user accounts set up:
Administrator, plus a "Power User" account for her, plus 2 "Users" accounts
set up for her kids. Basically, she only logs on as Administrator to add
programs, but normally logs on under her "regular" account. I did this so
that she couldn't accidently make fatal changes to the system. And it works.
The single biggest problem you'll run into with either NT or Mac
workstations (but not as much with 95/98) is the user attempting to make
system changes. With the Mac, it's easy (as well as tempting) to add that
shareware Control Panel or Extension that makes the Trash can growl or
belch; and at times these can cause all sorts of headaches when that
Extension was written with System 6.0.8 in mind! :)
On the other hand, it's easy to screw up an NT installation
when logged on
as Administrator (or a linux box when logged on as root). You have a lot of
power, but just like that 450 horsepower GTO "goat" you can easily spin a
machine out of control.
BTW, thanks for the tip on Symantec Ghost! :)
Cheers, and safe surfing!
Dan
[overly long quote deleted]
-----------------------------------------------------------------
<mailto:expresso@snip.net>
ALTERNATE: <mailto:expresso@workmail.com>
-----------------------------------------------------------------
Subject: Re: [WinMac] Clarification of RE: JetDirect names change:
Macprinting
From: CHoogendyk@aol.com
Date: Wed, 19 May 1999 08:26:44 -0500
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
In a message dated 5/18/99 5:47:40 PM, billc@sarc.msstate.edu writes:
>Actually, he may not know the physical location of all those printers,
>since they are just somewhere in the ether.
I have a stock test page on my desktop that says (in very large bold type):
Message from Chris Hoogendyk, Library Systems Office, 5-0074, Please call me
and tell me where this printed out.
Then, I go to the printer as below, get a configuration page, and also rename
it with with the LaserWriter tool or with the JetDirect software.
>Go to the printer you are interested in and physically punch its buttons
>to get the menu, and print a test page. It will have all the jetdirect info
on
>the test page, part of which will be the card's address, which is what is
used in
> making up the generic name you see in the chooser.
Subject: RE: [WinMac] Clarification of RE: JetDirect names change: Mac
pri nting
From: PetersJB@nswccd.navy.mil
Date: Wed, 19 May 1999 08:26:59 -0500
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
I guess you missed my point which wasn't that printers *couldn't* be
identified, but rather that while using the AppleTalk protocol, the Jet
Direct factory default names make it difficult to distinguish one from
another within the Chooser.
When we have several dozen HP LaserJet 4000s scattered over 20+ buildings,
sending and retrieving test pages is a non-trivial task.
Brooks
> Reply To: On May 18, 1999 5:35 PM, Dan wrote:
>
> Let me clarify: Throw a PS test page to each printer, which lists
> the IP
> address and (stack - independent) MAC address on the sheet...
>
> At 05:31 PM 5/18/99 -0400, I wrote:
> >
> > Try using the MAC address to identify them...
> >
> >At 12:17 PM 5/14/99 -0400, Brooks Peters wrote:
> >>We have dozens of printers on our network and I see 15 generically named
> >>LaserJet 4000 printers in the Chooser. I can't imagine trying to
> identify
> >>the one I want. The half-dozen I've renamed and re-zoned are easy to
> find
> >>and use along with their NT print queue counterparts.
Subject: [Fwd: Re: [WinMac] unix/ nt security diffs?]
From: Chris Hoogendyk <choogendyk@aol.com>
Date: Wed, 19 May 1999 11:34:22 -0500
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
> > >I am looking for a web page or something detailing differences
> > >between the unix security model and NT's.
perhaps not exactly what you are looking for but here's a site everyone
should know:
<http://www.cerias.purdue.edu/>
that's just a starting point. lots of links from there.
> > Are you looking for user access or security?
>
> User access.
<snip>
> Fairly familiar with Uni*, but is seems like nt's model (from reading) has
> all the security based on directories... ie you can list, write to, modify
> members, or read members, etc, instead of Uni* where you have rwx on the
> directory and every file.
>
> The concept of groups seems slightly more signifigant in nt than in unix,
> and nt's whole file permission model, from what I am reading in the
> O'Riley annoyances book, seems sort of silly and a lot less flexible.
>
> The only things I have ever gone in depth on with nt though are SFM and
> printing, so I wanted to get some first hand feed back before I go into a
> testing situation around the first of June.
<snip>
> Basicly am interested in basic permissions model- is what I have stated
> above correct?
With NT, you want to make sure you have formatted the drive using NTFS.
Once you've done that you have full file level access control. It is
based on Access Control Lists. Entries in the list contain a SID and a
list of permissions. There can be entries for users and for groups. SIDs
uniquely identify the users and the groups.
Permissions are:
RWX and
D for Delete
P for Change Permissions
O for Take Ownership
N for No Access
The Administrator might not be given permissions, but can take ownership
and then do whatever. The fact that she took ownership flags the
intrusion. Ownership cannot be given, it can only be taken. The
Administrator can give a user permission to take ownership back.
Root in Unix has more power with impunity.
NT has a bunch of built in special groups.
NTFS is supposed to be POSIX complient.
One hassle for an administrator is in a sense the GUI. I don't know of
any way to list the files in a directory with their permissions. You
have to right click on the file, select properties, click on the tab for
security, click on the button for permissions, click add or remove,
click more buttons, click ok or cancel out through several levels. . . I
mean, man, I gotta do that for every one? groan.
The inherent programmability of the Unix shell together with the listing
of permissions when you do an "ls -l" makes it far easier to manage. Of
course, the newer releases also have ACLs, and you would see something
like "rwxr-x---+" where the "+" indicates that there are additional
permissions assigned using ACLs. I haven't done anything with those
other than to just see that they are there in Digital Unix 4.0D.
Of course Unix also has it's unique things in the SetUID, SetGID and
Sticky Bits.
I think NT has reached a level of underlying complexity combined with
superficial simplicity that makes it difficult to manage expertly and
efficiently. Unix is harder to get into initially; but, when you have
learned it, you know what you are dealing with and can manage it. NT has
layers of hidden stuff that it does automatically to make life easier
for you, and cleaning them up can be a real pain. You think you know
what is going on, but NT has even more hidden layers lying in wait for you.
We had an example where our public NT workstations had finally been set
up the way we wanted, accessing a Novell server. We had re-arranged the
Contexts in Novell. An account ("ref") at the root level that shouldn't
have been there in the first place was replaced with another account
("ref" in an interior context) and we had everything running. Then we
went back to clean up by deleting the ref account in Novell at the root
level (nobody using it anymore, right?), and every public NT workstation
got an alert that that account had been deleted. huh? We searched the
registries and found a reference to that account and deleted it. But in
the mean time, we had a background login that we didn't want that was
being done invisibly and automatically. Now, granted, that may have been
an error on our part. But, when you have multiple people working on a
network, you don't always know everything they have done in precise detail.
I went to a presentation on Windows2000, and it is becoming even more
complex while becoming even simpler (they love that little paper clip
guy). I think it is a misleading combination.
I'll stop rambling.
---------------
Chris Hoogendyk
Network Specialist, Library Systems Office
W.E.B. Du Bois Library
University of Massachusetts, Amherst
<choogend@library.umass.edu>
---------------
Subject: Re: [WinMac] GPF Booting NT?
From: "Daniel L. Schwartz" <expresso@snip.net>
Date: Wed, 19 May 1999 11:43:59 -0500
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Ken,
Ain't no such thing as a "GPF" (General Protection Fault) in
NT. Can you
please be more specific, i.e. is it failing in the 16 bit portion of the
boot (black & white screen), or is it bombing in the blue screen portion
(32 bit reboot) of the boot cycle.
Also, what is the error message being given? Is it the
"IRQL_Less_Than..."
message?
Cheers!
Dan
At 08:25 AM 5/19/99 -0500, you wrote:
>I just restarted my NT Server machine and it's crashing with a GPF. Can
>some kind soul tell me how to boot and fix this type of problem? I cant
>find my erd disks anywhere either......
[snip]
>- --
>Ken Wieschhoff
>Siren Enterprises
>(770)813-0231
>ICQ 30757206
>***************************
Subject: MacServerIP Performance
From: Josh Lampl <sunergy@electriciti.com>
Date: Wed, 19 May 1999 12:14:55 -0500
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Chick:
Thank you for your interest in MacServerIP's relative performance.
As you know, actual performance will vary
according to the machine configuration. To be unbiased, I am
including data from sources other than Cyan. As you can
see, MacServerIP tests very favorably to its competitors and to
Services for Macintosh and includes many features and
benefits that make it an excellent choice for cross platform connectivity.
Here are the results:
1. German Magazine tests MacServerIP. May 13, 1999 -- An article in
the German-language magazine
<http://www.cat-verlag.de:591/ppinfos/FMPro?-db=prepress-archiv%2094-9
6&-format=archiv%5fdetail.htm&-lay=artikel&Artikeltext=macserver&-max=
20&-recid=61&-find>PrePress Reports
reports that file sharing with MacServerIP, an AFP over IP server for
Windows NT, is up to 4 times faster than other
AppleShare-compatible servers for NT. (Unfortunately, this article
is in German)
2. Test results Customer from the U.S.:
Your MacServerIP product is very fast.
With a new Ice Blue Mac, w/standard ethernet card, I'am getting
15.1Mb/sec. writes
17.5Mb/sec. reads
to my Dual Xeon Server, with Intel 1000Base-T Nic. Card.
With Dave I get
12.9Mb/sec. writes
15.3Mb/sec. reads
---------
100Base-T Ice Blue Mac / 1000 Base-T NT Server w/ 5 Channel RAID
AppleTalk / SFM
2.4Mb / Sec. Write
4.30Mb / Sec. Read
NetBIOS / TCP/IP (Dave)
7.2Mb / Sec. Write
8.4Mb / Sec. Read
AFP-over-IP / MacServerIP 6.1
8.2Mb / Sec. Write
9.2Mb / Sec. Read
*************************************
1000Base-T Ice Blue Mac / 1000 Base-T NT Server w/ 5 Channel RAID
AppleTalk / SFM
4.4Mb / Sec. Write
4.5Mb / Sec. Read
NetBIOS / TCP/IP (Dave)
10.9Mb / Sec. Write
15.3Mb / Sec. Read
AFP-over-IP / MacServerIP 6.1
15.1Mb / Sec. Write
17.4Mb / Sec. Read
----------------------------------------------------------------
Test results from Customer from the U.K.
I used Helios LanTester to carry out the following tests averaged over 5
runs (SfM = Services for Macintosh; MSIP = Cyan MacServerIP; all figures in
seconds except where marked; all tests carried out from the same G3/266 in
OS8.1)...
-----------------------------------------------------------------
Local HD NT/SfM
NT/MacServerIP
Create 100 files at 20kb 1.19 9.65 9.26
Open/Close 100 files 0.19 5.00 0.87
Remove 100 files 0.20 2.90 1.04
Write 30mb to file (kb/s) 4670.47 1078.27 8937.44
Read 30mb to file (kb/s) 7712.08 1335.15 7620.66
Lock/Unlock 4000 times 0.94 97.84 5.97
Read Directory/320 files 0.15 0.36 0.30
-----------------------------------------------------------------
Copy to/from 200mb TIFF
100BaseTX Mac to NT/MacServerIP (MSIP) 1m15s
100BaseTX Mac/Dave to NT 1m43s
SfM to 100BaseTX Mac 3m13s
NT/MSIP to 100BaseTX Mac 0m58s
NT to 100BaseTX Mac/Dave 1m28s
Opening RAID-based 200mb TIFF (MSIP) 1m33s
Opening RAID-based 200mb TIFF (Dave) 1m57s
Chick Foxgrover wrote:
>Yes I asked about it about a month ago and there should be a few messages
>in your archives about it and other links. We have been testing file
>transfers on a minimal NT server (166Pentium) and I'll get a short report
>in an email to the list soon if none of the other sources answer your
>questions.
>
>Actually here is my original message with the links:
>
>I think, Dan that cyan is the developer:
><http://www.cyansoft.de/>http://www.cyansoft.de/
>but maybe they're related to Helios.
>
>also:
><http://www.macwindows.com/macsrvip.html>http://www.macwindows.com/ma
>csrvip.html
>here's some more reactions on this product, and the site has an annoucement
>about another product coming out soon to do AFP over IP. Looks like there's
>real market for this. Our organization has been seriously looking at
>AppleShareIP for new studio servers with an eye towards moving to OSX
>(which we in the NYC office are very sceptical of for a variety of
>reasons). This development, if the products are any good should make the
>debate very interesting.
>
>Has anyone else been looking at or using any of these?
>
> > Cyan is the USA distributor for Helios...
>>
>> They also sell PDQ... Are you familiar with this?
>>
>> Thanks!
>> Dan
>>
>
Subject: Re: [WinMac] Clarification of RE: JetDirect names change: Mac
pri nting
From: Bruce Johnson <johnson@Pharmacy.Arizona.EDU>
Date: Wed, 19 May 1999 13:49:14 -0500
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
PetersJB@nswccd.navy.mil wrote:
>
> I guess you missed my point which wasn't that printers *couldn't* be
> identified, but rather that while using the AppleTalk protocol, the Jet
> Direct factory default names make it difficult to distinguish one from
> another within the Chooser.
>
> When we have several dozen HP LaserJet 4000s scattered over 20+ buildings,
> sending and retrieving test pages is a non-trivial task.
Which is why you're supposed to rename them when you install them :-/
Sadly that's about the only option.
--
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group
* Windows-MacOS Cooperation List *
This archive was generated by hypermail 2.0b2
on Wed May 19 1999 - 17:05:15 PDT
|