Share Level Security; User Level Security - HP NetStorage 6000 Manual

The following sections explain these security modes in more detail.

3.2 Share Level Security

Share Level security is the simplest SMB security mode to use, but offers the least security. In this mode, each
share may be protected by a password. When the server administrator defines a new share, a password is
specified to protect the share from unauthorized access. When a user first accesses the share, the user is
prompted for the password. Once the password is entered and verified, then the user has full access to all files
on the share. Share Level security is the default security mode for Windows for Workgroups and Windows 95.
Share Level security may be implemented to allow both Read/Write access, as well as Read Only access to
shares. Each share may be protected by one Read/Write password and one Read Only password. The
access allowed on the share (Read/Write or Read Only) is dictated by the password entered by the user.
This mechanism is sufficient in small networking environments. However, in large environments, the model breaks
down. If a different password is used to protect each share, and if many shares are defined on a network, then
managing and remembering all those passwords becomes extremely difficult. In addition, the granularity of
protection extends only to the share. Any user that has access to the share, has access to all of the files in the
share. There is no way to limit access to individual files within a share.
In most cases, when a user enters a password to access a share, the client system creates a session with the
server that may extend beyond the expected interval. For example, if a user accesses a share via Network
Neighborhood (and providing the correct password), closes the Explorer window, and then returns to the share
at a later time, the user may not be prompted again for the password, since the original session is still active. In
addition, the client system may cache the password, and submit it again automatically on behalf of the user
when a session is ended and a new one is activated with the same share. To summarize, users should not
expect to have to enter in the password to a share more than once in a typical Windows session.

3.3 User Level Security

User Level Security offers the superior flexibility and ease of use on networks with a significant number of users
and/or resources. In this mode, each user is provided a logon account to a computer or network. The user only
has to remember the credentials for this one account, instead of numerous passwords for network shares.
Resources can be protected with a much finer granularity. Not only can shares be protected, but directories and
individual files may be protected as well. Also, each resource may be protected on a user by user basis that
allows almost infinite permutations of access restrictions of users and groups of users. User Level Security is the
default security mode of Windows NT systems.
The user accounts may be either local machine accounts for access to a single computer, or they may be
accounts that apply to all computers attached to the network. If a computer is attached to a network, then local
machine accounts are of little value, since the user of that account may only access resources on that computer,
and not any other computer on the network. On the other hand, network wide accounts allow users to access
resources on other computers on the network. In addition, these accounts allow the user to logon to any
computer on the network.
On NT networks, the network wide user accounts are managed through NT domains. The architecture of NT
domains is discussed in the next section.
Copyright © 2000 Hewlett-Packard Company Page 9 of 28
All Rights Reserved