Top 10 Downloads
  Last 15 New Files
  Web Links
  Last 15 New Tips
  NLM Programming
  Admins Club

SUPLA System
Internet of Things

Installation and Administration

Polish Forum SUSE

Who's Online

 There are currently,
6 guest(s)
that is (are) online.

Technical Information

Back to List of Categories

Technical Information about
  A Little YaST Magic
  A Slideshow for Your KDE Wallpaper
  Add Novell Support to Your Firefox Search Engine
  Adding To The Panels In Gnome.
  Akregator - RSS News Reader
  An Introduction to WBEM and OpenWBEM in SUSE LINUX
  Authenticating SUSE LINUX to eDirectory via LDAP
  Basic Mounting Differences between Windows and Linux
  Beginner's Guide to Using Novell SUSE LINUX's Build Utility
  Browsing Files
  Card Readers on SUSE LINUX 9.2 Professional?
  Changing the Default Browser in Gnome
  Developing Perl CGI scripts on SUSE LINUX
  Do I Have Permission?
  Double SYNC -- Using RSYNC Simultaneously With and Without Branch Office for Data Backup
  Dumb Question: Mounting Linux CDs
  Easy Command-Line Introduction
  Easy Way to Debug SSL Connections
  Enabling an Interactive Startup in Novell/SUSE LINUX
  Exploring MySQL 4.1 and PHP 5 on SUSE LINUX
  Extend Your Panels Using Gnome Drawers.
  Firefox Speed Tip
  Fix Java Errors With ConsoleOne On Linux
  Fix Your Mouse Wheel...
  Gimp -- Closing In on Photoshop...
  Gimp Tips Part 1: Resizing Images
  Gimp Tips Part 2: Rounding Corners
  Gimp Tips Part 3: Fading Photography Edges
  Gimp Tips Part 4: Selective Colorization
  Gimp Tips Part 5: Plugins a Plenty - Adding Light
  Gimp Tips Part 6: Using The Clone Tool
  Google Auto-fill Replica for Linux
  How a Corrupted USB Drive Was Saved by GNU/Linux
  How to Implement Login Scripts into a Pure Linux Environment
  How to install and connect an External Modem on a Linux PC
  How to Install the Novell Client for Linux on SUSE Linux 10.0
  How to launch applications at login in Gnome
  How to Remote Control Linux
  How to setup a Linux application to automatically startup when you login.
  How to share Files and Printers Between Linux and MS Windows with Samba
  How to uninstall the Novell Client for Linux
  How to upgrade the Novell Client for Linux
  How to use SMB without turning off the firewall
  How's the Weather?
  HTML Development Tools in Linux
  Informative Bash Prompt
  Install and Use QEMU on SUSE 9.2
  Install Linux Frequently, Without the Hassle
  Installing Apache, PHP, and MySQL on SUSE LINUX Professional
  Installing RPM Files
  Integrating Novell Linux Desktop into a Novell NetWare network
  Introduction to Oracle 10g R1 ( on SUSE LINUX Professional 9.3
  iPrint Printers on Novell Linux Desktop
  Linux Scheduling Priorities Explained
  Make a Misbehaving Program Quit
  Manually Mounting a USB Flash Drive in Linux
  Migrating To Linux, Advantages Over Windows 9.x And XP
  Minimize Your Maximizing with Multiple Desktops
  Mounting NetWare Volumes On NLD Illustrated
  Move Your /home to Another Computer
  Mozilla Mail Review
  Need a Backup?
  Novell Client Settings with Windows Terminal Server
  Novell Linux Desktop Equivalents of Windows Software - New and Improved
  Novell Linux Desktop System Upgrade How-To
  Partitioning Hard Drive for Linux Install
  Perform Remote SuSE Installations With Virtual Network Computing
  Quick Intro to Klipper
  Quick Shortcuts in The Gimp
  Reset Your Lost Root Password
  Resizing Your Gnome / KDE Panels
  Runlevels in SUSE LINUX
  Running Existing Win32 Applications on SUSE LINUX
  Service Command in /etc/init.d/
  Setting Shortcut Keys
  Setting up a Linux NFS Install Source for Your LAN
  Should I choose Novell Linux Desktop or SUSE LINUX Professional as my desktop?
  Starting Services From the Command Line On SuSE LINUX
  Sticky Notes for Gnome
  SUSE LINUX 9.3 Professional Review
  Sync Up The Taskbar and the Desktop in Gnome
  System Upgrade How-To
  Taking Screenshots in Linux
  The Basics of Messaging in the Cross-Platform GroupWise Client
  The Novell Client for Linux (beta).
  Transparent Panels in Gnome
  Trick Out Your KDE Desktop
  Understanding the YAST Software Module Options
  Updating Your Software with Red Carpet
  Using dsbk on Linux and Unix
  Using iFolder to Synchronize Firefox Bookmarks
  Using Multiple Swap Partitions In 2.4
  Using openSSH to Securely Access Remote Systems
  What FTP client should I use on Linux?
  What Is Logical Volume Management?
  What is so great about Firefox?
  Which Graphic Formats For What?
  Windows Shortcuts for Firefox Tabs on Linux
  Windows to Linux: A Beginner's Guide
  Windows Users Can Feel at Home Exploring Files in Linux
  WLAN interface as the Default
  Work With User Selection Icons In KDM
  YAST Online Update De-Mystified

Technical Information
 Novell Client Settings with Windows Terminal Server

Printer-friendly version

Posted: 24 Aug 2005

This article addresses a specific need that some network administrators experience. Many organizations run Windows Terminal Services to extend applications outside the local area network (LAN), or even to provide certain applications within the LAN on a controlled OS platform. In many cases, the Windows Terminal Servers that are running the applications need to operate within the existing Novell file and print services environment. And in some implementations, that means installing and configuring the Novell client on the Windows Terminal Server(s).

As an example of this, let's say that an organization has a program that runs as a client-server application with a database or shared files stored on a NetWare server, and the client portion runs on individual workstations. The users need Novell (eDirectory) authentication to access the database files, as well as whatever authentication is provided within the database application. This can apply whether there is a database engine running on the NetWare platform ("true" client-server), or if only network file access is required ("dumb" database).

The application was designed to run on the LAN, but now, with increasing demand to "work from anywhere", we wish to now extend the application's availability to workers outside the LAN. Enter Windows Terminal Services. We build our Terminal Server environment, and install the application on the Terminal Servers, and to provide Novell authentication and access to the NetWare server-stored databases or files, we install and configure the Novell client on the Terminal Servers.

Access Decisions

Early on in the design and planning of this type of solution, decisions have to be made regarding the degree of access we intend to give the end users within the Terminal Services environment, as well as within the NetWare environment to which they will secondarily connect. Many articles have been written on the subject of locking down Terminal Services, but here I would like to focus on the specifics of configuring the Novell client for the type of Terminal Server access as per our example.

One level of access that many organizations provide for Terminal Services might be classified as "robust". The Terminal Services provide a fully-functional Windows desktop environment for the user, and the Novell client provides the exact level of NetWare server access – mapped drives, network applications, etc. – that the user would have if they were logging in at the office with their own PC.

The robust access strategy is undoubtedly the easiest to setup, once the Terminal Services environment and licensing is correctly installed. In terms of the Novell client, there is not much difference in the way it is installed on a regular PC, and the way it would be installed on the Terminal Server. Most of the focus on restricting access will be on the Terminal Server environment (obviously, you wouldn't want end users having the ability to reboot the server, or make system configuration changes).

However, for many organizations, this "robust" access model for Terminal Services is not an acceptable solution, from a security standpoint. Having LAN access to network resources generally requires that two hurdles be crossed: first, locality, and second, password security. That is, you first have to access a PC that is directly connected to the LAN (or the private WAN, for multi-site networks), and then you have to provide a correct username and password combination to access the network resources.

Windows Terminal Services can extend your LAN to the world at large, when the Terminal Server becomes the "PC" connected to LAN. Users can now open a Windows terminal session, and thus login from potentially anywhere on the Internet. While this capability opens new opportunities for "work from anywhere" productivity, it also nullifies the first traditional security hurdle: locality. This can leave many network administrators and security personnel feeling exposed, now relying entirely on password security to protect the network from any malicious intrusion.

As an alternative to providing "robust" Terminal Services access to end users, many network administrators opt to provide very specific application access to limit the Terminal Services experience – and thus limit a user's exposure to the local network as well.

Limiting Terminal Services access to specific applications can be done with the proper configuration within Terminal Services itself, and is enhanced with additional products such as Citrix Presentation Server. But when the Novell client is used on the Terminal Server, some judicious settings in the Novell client configuration can also help to limit user access to only those applications and resources that are required.

Configuring the Novell Client

Very often a particular application is used by a particular group within an organization, rather than by all users in general. And very often those users are members of a specific department or workgroup, which is reflected by a context container in eDirectory, such as "Marketing", or "ITStaff". If that is so, then it makes sense to configure the Novell client on the Terminal Servers hosting that application to login specifically – and only – that that container. This is easily accomplished using the Location Profiles settings in the Novell client.

Under Novell Client Properties | Location Profiles | Login Service | Default | Properties:

De-select "Save profile after successful login" to prevent our standardized settings from being overwritten. On the "Credentials" tab, the Username should be blank, unless there is a need to pre-supply a generic username (usually considered a security risk). On the "NDS" tab, check Active Authenticator and the appropriate Tree and Context should be supplied. Sometimes, however, specifying the default server name is also considered a security risk.

On the "Script" tab, depending on the network environment needed for the application, you can select whether to Run scripts, Display results, etc. The "Windows" tab allows you to specify Windows login information according to your Windows environment. However, by default the Windows username is passed on from the supplied NDS username.

The Variables button on the "Script" tab allows you to pass variables to the login script execution, which can be handy. For example, you might want to differentiate between regular LAN users and Terminal Server users during the processing of a container login script. The regular users (on the LAN) might get a full complement of mapped network drives to multiple servers, while the Terminal Server users may need only to have specific drives mapped for a specific application.

This can be accomplished by setting a variable in the location profile, and then referencing that variable in the container login script. For example, we could set the "%2" variable to be "TERMINAL", and then in the container login script add a conditional loop that specifies something like:

  WRITE "You are logging into ACME using Terminal Server."

The LAN users, not having that variable set, will skip this section and go on to map the normal drives specified in the container login script. The same users, logging into the Terminal server, however, will have the variable set, and will map these specific drives, and skip over processing the rest of the container login script.

Configuring Advanced Login Settings

The kind of Location Profile settings outlined above are not at all unusual, even for regular desktop PC configurations. But the point is that the more specifically we control the login process, the more we can limit the Terminal Server users to specific access to resources for specific applications. The Advanced Login settings give us even more opportunities to "lock down" the Novell client.

Under Novell Client Properties | Advanced Login:

The "Advanced Button" should be set to Off, to prevent the user from selecting any other tree, context or server than what we specified in the Location Profiles. Alternatively, there are some "child" settings under Advanced Login that affect the same things: the "Context Box", "Context Browse Button", "Tree Box" and the "Tree Browse Button" settings can be set to Off to prevent users from selecting a different tree or context. But these are irrelevant if the Advanced Button is already set to Off.

To prevent the user from bypassing Novell security, all of the "Workstation Only" settings should be set to Off, including the "Remember Workstation Only setting" setting.

Configuring Service Location Settings

In an IP-only network, the Novell client needs a way to resolve the eDirectory tree, context and server names to an actual IP address of a NetWare (eDirectory) server that can provide authentication. On a simple LAN, the client can send an IP broadcast to discover this information, but on a multisite WAN, the SLP scope and Directory Agents must be listed.

Under Novell Client Properties | Service Location:

Add the scope name and Directory Agent IP addresses (or DNS names)

Configuring Advanced Settings

Under Novell Client Properties | Advanced Settings:

Change the default setting (On) of "Set Station Time" to Off, since the Terminal Server user will not have the ability to set the system time on the Terminal Server.

Configuring Advanced Menu Settings

The Advanced Menu Settings page for the Novell client properties has the greatest number of settings that determine what the user can or cannot do, or view, using the Novell client.

Under Novell Client Properties | Advanced Menu Settings:

You may wish to set the "Show Novell System Tray Icon" setting to Off, effectively disabling a host of NetWare user administration options available from the system tray applet. Like the "Advanced Button" setting mentioned above, this acts as a "parent" to many "child" settings (such as "Enable Login Dialog") that many administrators would prefer not to have available within a Terminal session. Here is a full list of "child" settings that would be become unavailable:

Enable Login Dialog
Enable NetWare connections Dialog
Enable Map Dialog
Enable Disconnect Dialog
Enable Capture Dialog
Enable End Capture Dialog
Enable NetWare Utilities
Enable NetWare Copy Dialog
Enable Send Message Dialog
Enable Trustee Rights Dialog
Enable Inherited Rights Dialog
Enable Object Properties Dialog
Enable Salvage Dialog
Enable Purge Dialog
Show User Administration Menu
Enable NDS Personal Information
Enable NDS Work Information
Enable NDS Mailing Information
Show Edit Login Script Item
Enable Login Administration
Enable Password Administration
Enable Group Membership Dialog
Enable Browse To Dialog
Enable Systray Config Dialog
Enable Update Novell Client
Enable Novell Client Help
Enable Novell Client Properties

Note that disabling the Novell System Tray does not truly disable all of the above settings – it merely makes them unavailable to the user through the System Tray ("Red N") icon. To completely disable the various context menu options provided by the NetWare client (such as NetWare Copy, Novell Map Network Drive), you must specifically disable each feature setting.

Other settings that affect context-specific menu dialogs provided by the NetWare client are also in the Advanced Menu Settings:

Enable NetWare Copy Dialog
Enable Map Dialog
Enable Salvage Dialog
Enable Purge Dialog
Enable Trustee Rights Dialog
Enable Inherited Rights Dialog

The above settings (default: On) affect the options available in the context menu when a user right-clicks on any NetWare volume or mapped drive, as well as availability within the menu of the Novell System Tray icon (as above).

Enable Who Am I Dialog
Enable Logout of Server
Enable Logout of Tree
Enable Authenticate to Server
Enable Authenticate to Tree

These settings (default: On) similarly affect whether the above context menu items are available when a user right-clicks on a NetWare server or NDS tree in My Network Places (Network Neighborhood).

Enable Change Context Dialog
Enable NDS Login to Tree
Enable Set Current Tree
Enable Show Parent Context
Enable Set Default Context

The above settings (default: On) similarly affect whether those context menu items are available when a user right-clicks on an NDS tree or context in My Network Places (Network Neighborhood).

All of the above Advanced Menu Settings are set to On by default. Disabling all of these settings effectively disables all of the enhanced "Red N" features that the Novell client introduces into the Windows user interface.

Other Advanced Menu settings in the Novell client affect not what the users can do, but what information they can view from the Novell client:

Display Volume Information Page
Display Volume Statistics Page
Display NetWare Information Page
Display NetWare Rights Page

These settings (default: On) determine whether the user sees the four additional properties pages when they view Properties on any NetWare volume or mapped drive in a Windows Explorer window.

Display Bindery Services Page
Display Container Page
Display Directory Services Page
Display Server Page
Display Tree Page

The above settings (default: On) similarly affect whether the users see the properties pages they right-click and select Properties on an NDS tree, container or server in My Network Places (Network Neighborhood). When disabled, the user merely receives the message "The properties for this item are not available."

The typical modus operandi that network administrators use when trying to lock down access to any resource is to start locking down everything we think the users won't need to access. Then we start testing user access, and then incrementally we open up the access settings again, when we discover that it is locked down a little too tight.

For an exhaustive description of the Novell client settings and operation, see http://www.novell.com/coolsolutions/appnote/620.html.

Windows Group Policy Settings

Within Terminal Server, you can (and should) also use Group Policies to lock down the Terminal Server. It is highly recommended that you create a new organizational unit instead of modifying the policies on an existing one, since with the following settings, even the administrator account will have restricted access. These recommended settings are excerpted from Microsoft's support page under Q278295 (http://support.microsoft.com/default.aspx?scid=kb;en-us;278295).

Use Active Directory Users and Computers to create a new organizational unit (OU). Right-click the OU, click Properties, and then on the Group Policy tab, click New Policy.

Edit this policy by enabling all of the following settings:

[Computer ConfigurationAdmin TemplatesSystemGroup Policy]
User Group Policy loopback processing mode

[Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options]
Do not display last user name in logon screen
Restrict CD-ROM access to locally logged-on user only
Restrict floppy access to locally logged-on user only

[Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Installer]
Disable Windows Installer

[User ConfigurationAdministrative TemplatesWindows ComponentsWindows Explorer]
Remove Map Network Drive and Disconnect Network Drive
Remove Search button from Windows Explorer
Disable Windows Explorer's default context menu
Hides the Manage item on the Windows Explorer context menu
Hide these specified drives in My Computer (Enable this setting for A through D.)
Prevent access to drives from My Computer (Enable this setting for A through D.)
Hide Hardware Tab

[User ConfigurationAdministrative TemplatesWindows ComponentsTask Scheduler]
Prevent Task Run or End
Disable New Task Creation

[User ConfigurationAdministrative TemplatesStart Menu & Taskbar]
Disable and remove links to Windows Update
Remove common program groups from Start Menu
Disable programs on Settings Menu
Remove Network & Dial-up Connections from Start Menu
Remove Search menu from Start Menu
Remove Help menu from Start Menu
Remove Run menu from Start Menu
Add Logoff to Start Menu
Disable and remove the Shut Down command
Disable changes to Taskbar and Start Menu Settings
Turn off personalized menus

[User ConfigurationAdministrative TemplatesDesktop]
Hide Internet Explorer icon on desktop
Hide My Network Places icon on desktop
Prohibit user from changing My Documents path
Remove My Computer icon on the desktop

[User ConfigurationAdministrative TemplatesControl Panel]
Disable Control Panel
Important: When you enable this setting, you prevent administrators from installing any MSI package on to the Terminal Server, even if the explicit Deny is set for the Administrator account.

[User ConfigurationAdministrative TemplatesSystem]
Disable the command prompt (Set Disable scripts to No)
Disable registry editing tools

[User ConfigurationAdministrative TemplatesSystemLogon/Logoff]
Disable Task Manager
Disable Lock Computer

In addition to these recommended settings, I would also add

[[Computer ConfigurationAdministrative TemplatesSystemRemote Assistance]
Offer Remote Assistance      Disabled
Solicit Remote Assistance    Disabled

[User ConfigurationAdministrative TemplatesWindows ComponentsWindows Update]
Remove access to use all Windows Update features   Enabled

In addition to these Group Policy settings, I would also modify some of the default menu items:

C:Documents and SettingsAll UsersStart Menu – delete Windows Update link
C:Documents and SettingsDefault UserStart MenuPrograms – delete Remote Assistance link

What Works for You

There might be several other settings I might add – or subtract – both in my Novell client settings, or in the Windows settings, depending on the network environment and the requirements that users have for the Terminal Services. To quote the Microsoft guideline, "The use of these policies does not guarantee a secure computer, and you should use them only as a guideline". Obviously, you have to do what works for you, in your own network environment.

By using a combination of "locking down" the NetWare client on the Terminal Server – to limit access to the NetWare environment – and locking down the Windows operating system with group policies, we can better provide the "work from anywhere" capabilities of Windows Terminal Services, without over-exposing our network to the potential hazards of external threats.

Since 2003

Portal posiada akceptację firmy Novell Polska
Wszystkie materiały dotyczące produktów firmy Novell umieszczono za zgodą Novell Polska
Portal has been accepted by the Novell Polska
All materials concerning products of Novell firm are placed with Novell Polska consent.
NetWare is a registered trademark of Novell Inc. in the United States and other countries.
Windows is a trademark or a registered trademark of Microsoft Corporation in the United States and other countries.
Sybase is a registered trademark of Sybase Inc. in the United States of America.
Other company and product names are trademarks or registered trademarks of their respective owners.