Novell is now a part of Micro Focus

Restricted Accounts In An IP Environment

Articles and Tips: qna

01 Dec 2002


Q.

What are your thoughts regarding workstation restricted accounts in an IP only environment? Are there any appropriate situations for its use? In the past, we've used workstation restricted accounts in those situations where an office had student workers who didn't have named accounts in eDirectory, but who the department wanted to have access to the department shares.

In an IPX environment, the combination of network address and MAC address made this situation secure, and in most cases, there were no passwords on these accounts. Once the workstation was turned on, it automatically logged into the tree and got the appropriate drive mappings.

However, now that we've gone to Netware 6 in an IP-only environment, we only have the IP address to restrict the workstation. Resources which were on an IPX island in a sea of IP are now pretty much open to the world. With static addresses, it's possible for a rogue user to high-jack the IP address that is assigned to the workstation with a restricted account. Therefore, it would seem that one of the benefits of the workstation restricted account and the lack of the need for password is, in any case, no longer a viable option. If the account has to have a password, what is to be gained by having the workstation restricted, as opposed to just having a generic named account?

One of the things driving this discussion is the fact that our physical network group doesn't want to give out static addresses. The argument being that they would need to set up a VLAN for every workstation restricted account, which would require them to go out to every office and check the jack to see which port it is connected to on the switch.

Chancey CD-ROM Cleary

A.

Dear Chancey: Conceptually, they're about as useful as IPX station restricted accounts ever were; that is, not very useful. Typically the MAC address can be overridden by the user and be specified to a different address, just like they can specify an IP address. It is maybe a little bit less well known, but it is still possible.

So, to give you a very Novell oriented solution, everybody gets an account, with a password. Guest accounts and accounts without passwords should not exist. Ever.

* Originally published in Novell AppNotes

Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.

© Copyright Micro Focus or one of its affiliates