2. 2
CONTENTS
īŧ STRUCTURE OF OS
īŧ WINDOWS SECURITY
īŧ CREATING USERS AND GROUPS
īŧ ACHIEVING SECURITY USING ArcGIS SERVER
īŧ PERMISSIONS
īŧ HOTFIX
īŧ PATCHES
5. FUNCTIONS OF KERNEL
OSs provide environments in which programs run, and services for
the users of the system, including:
īļUser Interfaces - Means by which users can issue commands to
the system.
īļ Program Execution - The OS must be able to load a program
into RAM, run the program, and terminate the program, either
normally or abnormally.
īļ I/O Operations - The OS is responsible for transferring data to
and from I/O devices, including keyboards, terminals, printers, and
storage devices.
īļ File-System Manipulation - In addition to raw data storage, the
OS is also responsible for maintaining directory and subdirectory
structures.
īļ Communications - Inter-process communications, IPC, either
between processes running on the same processor, or between
processes running on separate processors or separate machines.
5
6. CONTINUEâĻ
īļError Detection Resource Allocation - E.g. CPU cycles, main
memory, storage space, and peripheral devices.
īļ Accounting - Keeping track of system activity and resource usage.
īļ Protection and Security - Preventing harm to the system and to
resources, either through wayward internal processes or malicious
outsiders.
6
7. User Operating-System Interface
1. Command Interpreter
Gets and processes the next user request, and launches the
requested programs.
2. Graphical User Interface, GUI
Generally implemented as a desktop metaphor, with file
folders, trash cans, and resource icons.
Icons represent some item on the system, and respond
accordingly when the icon is activated.
7
9. Choice of interface
Most modern systems allow individual users to select their desired
interface, and to customize its operation, as well as the ability to
switch between different interfaces as needed. System administrators
generally determine which interface a user starts with when they first
log in.
SYSTEM CALLS
System calls provide a means for user or application programs
to call upon the services of the operating system.
Generally written in C or C++, although some are written in
assembly for optimal performance.
9
11. Types of System Calls
īą PROCESS CONTROL: Process control system calls include end,
abort, load, execute, create process, terminate process, get/set
process attributes, wait for time or event, signal event, and
allocate and free memory.
11
12. 12
īą FILE MANAGEMENT: File management system calls include create
file, delete file, open, close, read, write, reposition, get file attributes,
and set file attributes.
13. 13
īą DEVICE MANAGEMENT: Device management system calls include
request device, release device, read, write, reposition, get/set device
attributes, and logically attach or detach devices.
14. īą INFORMATION MAINTENANCE: Information maintenance system
calls include calls to get/set the time, date, system data, and process,
file, or device attributes.
14
15. 15
īą COMMUNICATIONS: Communication system calls create/delete
communication connection, send/receive messages, transfer status
information, and attach/detach remote devices.
16. īą PROTECTION: Protection provides mechanisms for controlling which
users / processes have access to which system resources.
16
18. 18
System Programs
ī System programs provide OS functionality through separate
applications, which are not part of the kernel or command
interpreters.
ī They are also known as system utilities or system applications.
ī Most systems also ship with useful applications such as calculators
and simple editors, ( e.g. Notepad ).
19. 19
System programs may be divided into these
categories:
ī§ File management - programs to create, delete, copy, rename,
print, list, and generally manipulate files and directories.
ī§ Status information - Utilities to check on the date, time,
number of users, processes running, data logging, etc.
ī§ File modification - e.g. text editors and other tools which can
change file contents.
ī§ Programming-language support - E.g. Compilers, linkers,
debuggers, profilers, assemblers, library archive management,
interpreters for common languages, and support for make.
20. 20
CONTINUEâĻ
ī§ Program loading and execution - loaders, dynamic loaders,
overlay loaders, etc., as well as interactive debuggers.
ī§ Communications - Programs for providing connectivity between
processes and users, including mail, web browsers, remote logins,
file transfers, and remote command execution.
ī§ Background services - Examples include network daemons,
print servers, process schedulers, and system error monitoring
services.
ī§ Most operating systems today also come complete with a set
of application programs to provide additional services, such as
copying files or checking the time and date.
21. 21
Using Windows Security Center
Windows Security Center can help enhance your computer's security
by checking the status of several security essentials on your computer,
including firewall settings, Windows automatic updating, anti-malware
software settings, Internet security settings, and User Account Control
settings. If Windows detects a problem with any of these security
essentials (for example, if your antivirus program is out of date),
Security Center displays a notification and places a Security Center
icon in the notification area. Click the notification or double-click the
Security Center icon to open Security Center and get information
about how to fix the problem.
23. 23
Firewall
A firewall can help prevent hackers or malicious software (such as
worms) from gaining access to your computer through a network or
the Internet. A firewall can also help stop your computer from sending
malicious software to other computers. Windows checks if your
computer is protected by a software firewall. If the firewall is off,
Security Center will display a notification and put a Security Center
icon in the notification area.
To turn on Windows Firewall
1. Open Security Center by clicking the Start button , clicking
Control Panel, clicking Security, and then clicking Security
Center.
2. Click Firewall, and then click Turn on now. If you are prompted
for an administrator password or confirmation, type the password or
provide confirmation.
24. 24
Automatic updating
Windows can routinely check for updates for your computer and install
them automatically. You can use Security Center to make sure
Automatic updating is turned on. If updating is turned off, Security
Center will display a notification and put a Security Center icon in
the notification area.
To turn on automatic updating
1. Open Security Center by clicking the Start button , clicking
Control Panel, clicking Security, and then clicking Security
Center
2. Click Automatic updating, and then click Turn on now. If you
are prompted for an administrator password or confirmation, type the
password or provide confirmation.
26. 26
Malicious software protection
Malicious software (malware) protection can help protect your
computer against viruses, spyware, and other security threats.
Security Center checks if your computer is using up-to-date
antispyware and antivirus software. If your antivirus or antispyware
software is turned off or out of date, Security Center will display a
notification and put a Security Center icon in the notification area.
To install or update your anti-malware software
1. Open Security Center by clicking the Start button , clicking
Control Panel, clicking Security, and then clicking Security Center.
2. Click Malware protection, click the button under Virus
protection or Spyware and other malware protection, and then
choose the option that you want.
27. 27
Other security settings
Windows checks your Internet security settings and User Account
Control settings to make sure they are set at the recommended levels.
If your Internet or User Account Control settings are changed to a
security level that is not recommended, Security Center will display a
notification and put a Security Center icon in the notification area.
To restore Internet settings to recommended levels
1. Open Security Center by clicking the Start button , clicking
Control Panel, clicking Security, and then clicking Security Center.
2. Click Other security settings.
3. Under Internet security settings, click Restore settings.
28. 28
4. Do one of the following:
ī To automatically reset the Internet security settings that are at
risk to their default level, click Restore my Internet security
settings now.
ī To reset the Internet security settings yourself, click I want to
restore my Internet security settings myself. Click the
security zone you want to change settings for, and then
click Custom level.
To restore User Account Control settings to recommended
levels
1. Open Security Center by clicking the Start button , clicking
Control Panel, clicking Security, and then clicking Security
Center.
2. Click Other security settings.
3. Under User Account Control, click Turn on now. If you are
prompted for an administrator password or confirmation, type the
password or provide confirmation.
29. CREATING USER IN WINDOWS
With user accounts, several people can easily share a single
computer. Each person can have a separate user account with
unique settings and preferences, such as a desktop background
or screen saver. User accounts control which files and programs
users can access and what types of changes users can make to
the computer. Typically, you'll want to create standard accounts
for most computer users.
29
30. 30
Add users and groups with operating
system tools
In order to assign permissions based on Windows users and
groups, you may need to add users and groups to your system.
1. To add users and groups to the local Web server, go to Start -
Control Panel - Administrative Tools - Computer Management
(alternatively, right-click on the My Computer icon on the Desktop,
and click Manage).
In the Computer Management console, expand if necessary the
System Tools and then Local Users and Groups.
Click the Users folder to view the list of users. In Windows Vista or
Server 2008, go instead to Start â Control Panel - Administrative
Tools - Server Manager. In the Server Manager, expand
Configuration and then Local Users and Groups. Click
the Users folder to view the list of users.
31. 31
2. Right-click on the Users folder and choose New User... The New
User dialog opens.
3. Enter the user name, for example, walkthrough1. Enter a
password and confirm it (for example, walkthrough1). You may
uncheck the requirement that the user must change password at
next logon. Set other options as desired, then click Create.
32. 32
4. Add at least one other user, for example, walkthrough2. Close the
New User dialog.
5. Right-click on the Groups folder in the Computer Management (or
Server Manager) tree, and choose New Group... The New Group
dialog opens.
6. Enter the group name, for example, WTGroup1. Optionally add a
description. To add members to the group:
ī Under the Members area, click Add... The Select Users,
Computer or Groups dialog opens.
ī In the Select Users dialog, click the Locations... button, and in
the popup dialog, select the local computer's name and click OK.
ī Back in the Select Users dialog, under the Enter the object
names to select box, type the name of the first user added
above (walkthrough1).
33. īClick Check Names to verify the user exists (if necessary, click
the Advanced button, then Find Now to list all users; you can select
the user from this list).
ī Click OK to close the Select Users dialog and return to the Add
Group dialog. The New Group dialog now lists the user you selected.
33
34. 34
7. Click Create to create the new group.
8. Create one more group, for example, WTGroup2, adding the second
user created above (walkthrough2). Then close the New Group dialog.
You may also close the Computer Management console.
35. 35
Configure the user and role location in ArcGIS
SERVER
In order to assign permissions for Web applications and services, you
must first tell ArcGIS Server where your users and roles are stored. In
this walkthrough, users are operating system accounts on the Web
server or on the domain, and roles are Windows groups on the Web
server or domain.
1. Start ArcGIS Server Manager and log in.
2. In Manager, expand the Security panel and click Settings.
3. Click the Change button (do this even if the Location already
indicates Windows users and groups; the wizard performs additional
essential configuration steps).
36. 36
4. In the dialog that opens for location for Users, choose Windows
users. Click Next.
37. 5. In the panel for Role store location for users, click Windows
groups. Click Finish. The wizard will dismiss and the Location box will
read Windows Users and Groups.
37
Notice that security for services is set to Not Enabled. Do not enable
security at this point. You will enable security in the last step in this
walkthrough. Enabling security is the last step because you first need
to set permissions for your Web services. Once security is enabled,
only users whose roles you have permitted can access the GIS Web
services.
38. 38
View Users and Roles
When your users and roles are Windows users and groups, you may
view them in Manager. To add, edit or delete users or groups, you
must use Windows operating system tools.
1. In Manager, click the Security tab on the left side, then
click Users. The Users panel will display a list of users on the local
Web server.
39. 39
2. If you have more users than can be displayed in a single panel,
click the >> to display additional users. You can also enter part or all
of a user name in the Show: box near the top of the panel and
click Find to filter the list of users.
3. To view a user's group membership, click the plus symbol next to
the name. The list will show the groups of which the user is a member
on the local system.
4. If the computer is a member of a domain, you can view users on
the domain by clicking the Domain radio button for Show users on.
You can then view domain group membership for these users (the list
will not show membership in local system groups).
5. View roles by clicking Roles in the Manager Security tab. In this
case, the list displays Windows groups on the local Web server. If the
computer is a member of a domain, you may click Domain to see
groups in the domain. You can page between lists of groups or
filter/search for groups as with the Users dialog.
40. 40
6. Click the plus button next to a group to view the users who are
members of the group.
41. 41
Secure a Web application
Now you will secure a Web application by limiting access to designated
roles (in this case, Windows groups). The final sections of this
walkthrough will accomplish this goal.
1. Create a new Web application in Manager. The application may be
simple, with just a map service and no extra tools or tasks. You may
follow the Creating a Web Application Tutorial if you need to create an
application. If you have installed an SSL certificate on the Web server,
then when creating the application, you may want to set the
application to use https (in the application wizard, use the Advanced
option on the first panel). You may use an existing application, but all
users of the application will be required to log in as a user in a role
you permit during the walkthrough.
2. In Manager, click Applications to list the Web applications. Find
the application you want to secure in the list. In the Permissions
column, you will notice the unlocked icon . This indicates that the
application is not restricted, so that users currently are not required to
log in.
42. 42
3. Click the permissions icon , which displays the Permissions
dialog for the Web application.
4. Check the box for Enable security for this web application.
This enables the lists of available and allowed roles.
5. If you wish to allow roles based on domain groups, click
the Domain option under Show roles on. Otherwise click Local
server to see groups on the local machine. You can add both domain
and local groups as allowed roles.
6. Highlight the WTGroup1 role (or other role you added above) in
the Available Roles list. Click the Add> button to add it to the list
of Allowed Roles. Optionally, add other roles to the allowed list.
43. 43
7. Click Save to save the permissions and return to the list of
applications. Notice that the permissions icon changes to a
locked appearance, which shows that it now requires a login to
access the application.
44. 44
8. Set the authentication method for the application using IIS
Manager:
(a) Open IIS Manager by going to Start - Settings - Control Panel -
Administrative Tools - Internet Information Services Manager.
(b) Expand the left-hand tree of IIS Manager, under Web Sites or
Sites, to find Default Web Site, then expand Default Web Site to
find the Web application you just secured.
(c) On Windows XP or Server 2003:
(1) Right-click on the Web application and click Properties in the
context menu. The Properties dialog opens for the application.
45. (2) In the Properties dialog, click the Directory Security tab. In this
panel, under Anonymous access and authentication control,
click Edit... The Authentication Methods dialog opens.
45
46. 46
(3) In the Authentication Methods dialog, uncheck the Anonymous
access box. Then check at least one of the methods under
Authenticated access. For the demonstration purposes of this
walkthrough, you may choose Basic authentication (click Yes if a
warning message appears).
(4) Click OK to dismiss the Authentication Methods dialog and return
to the application's Properties dialog.
47. 47
(d) If you have installed a SSL certificate on your Web server, you
can require https when using the application. This will protect the
login when the authentication method is set to Basic.
(e) To require https on Windows XP or Server 2003: in the
Properties dialog for the application, click the Directory Security
tab. In the Secure communications area of this panel,
click Edit... (if this button is disabled, then no SSL certificate is
installed). In the Secure Communications dialog, click Require
secure channel (SSL). Click OK to save the setting. Click OK to
close the Properties dialog.
48. 48
Permissions for files and folders
Folder permissions include Full Control, Modify, Read &
Execute, List Folder Contents, Read, and Write. Each of
these permissions consists of a logical group of special
permissions that are listed and defined in the following
sections.
49. 49
File and folder special permissions
Special
Permissions
Full
Control
Modify Read &
Execu-te
List
folder
contents
Read Write
Traverse
Folder/
Execute File
YES YES YES YES NO NO
List
Folder/Read
Data
YES YES YES YES YES NO
Read
Attributes
YES YES YES YES YES NO
Read
Extended
Attributes
YES YES YES YES YES NO
Create
Files/Write
Data
YES YES NO NO NO YES
50. 50
Special
Permissions
Full
Control
CONTINUEâĻ
Modify Read &
Execu-te
List
folder
contents
Read Write
Create
Folders/
Append Data
YES YES NO NO NO YES
Write
Attributes
YES YES NO NO NO YES
Write
Extended
Attributes
YES YES NO NO NO YES
Delete
Subfolders
and Files
YES NO NO NO NO NO
Delete YES YES NO NO NO NO
51. 51
Special
Permissions
Full
Control
CONTINUEâĻ
Modify Read &
Execu-te
List
folder
contents
Read Write
Read
Permissions
YES YES YES YES YES YES
Change
Permissions
YES NO NO NO NO NO
Take
Ownership
YES NO NO NO NO NO
Synchronize YES YES YES YES YES YES
52. HOTFIX
A hotfix is code (sometimes called a patch) that fixes a bug in
a product. Users of the products may be notified by e-mail or
obtain information about current hotfixes at a software
vendor's Web site and download the hotfixes they wish to
apply. Hotfixes are sometimes packaged as a set of fixes
called a combined hotfix or a service packs.
Quick fix engineering (QFE) is a newer Microsoft term for a
hotfix.
52
53. 53
PATCH
īŧ An application that has been installed using the Microsoft Windows
Installer can be upgraded by reinstalling an updated installation
package (.msi file), or by applying a Windows Installer patch (an .msp
file) to the application.
īŧ A Windows Installer patch (.msp file) is a self-contained package
that contains the updates to the application and describes which
versions of the application can receive the patch.
īŧ Patches contain at a minimum, two database transforms and can
contain patch files that are stored in the cabinet file stream of the
patch package.
īŧ Servicing applications by delivering a Windows Installer patch,
rather than a complete installation package for the updated product
can have advantages.
54. 54
CONTINUEâĻ
īŧ A patch can contain an entire file or only the file bits necessary to
update part of the file. This can enable the user to download an
upgrade patch that is much smaller than the installation package for
the entire product.
īŧ An update using a patch can preserve a user customization of the
application through the upgrade.
īŧ Patch takes a patch file containing a difference listing produced by
diff and applies those differences to one or more original files,
producing patched versions.