Manuals / Apple / Computer Equipment / Server

Apple 10.6 manual Administration Level Security, Setting Administration Level Privileges

Models: 10.6

1 197

Download 197 pages 50.37 Kb

Page 74

$count = @{[$_ =~ /$match/g]}; if($count > 0) {

$flag = 1;

}

}

close SBUFF;

if($flag == 1) {

"ssh $server -x -o batchmode=yes shutdown -r now"

}

}

Administration Level Security

Mac OS X Server can use another level of access control for added security. Administrators can be assigned to services they can configure. These limitations are enacted on a server-by-server basis. This method can be used by an administrator with no restrictions to assign administrative duties to other admin group users.

This results in a tiered administration model, where some administrators have more privileges than others for assigned services. This results in a method of access control for individual server features and services.

For example, Alice (the lead administrator) has control over all services on a given server and can limit the ability of other admin group users (like Bob and Cathy) to change settings on the server. She can assign DNS and Firewall service administration to Bob, while leaving Mail service administration to Cathy.

In this scenario, Cathy can’t change the firewall or any service other than mail. Likewise, Bob can’t change any services outside of his assigned services.

Tiered administration controls are effective in Server Admin and the serveradmin command-line tool. They are not effective against modifying UNIX configuration files throughout the system. Protect UNIX configuration files with POSIX-type permissions or ACLs.

Setting Administration Level Privileges

Mac OS X Server can use another level of access control for added security. Administrators can be limited to specific services they can configure. These limitations are enacted on a server-by-server basis. This method can be used by an administrator with no restrictions to assign administrative duties to other admin group users.

This results in a tiered administration model, where some administrators have more privileges than others for their assigned services. This results in a kind of access control for individual server features and services.

74

Chapter 4    Enhancing Security

Image 74

Apple 10.6 manual Administration Level Security, Setting Administration Level Privileges

Contents

Mac OS X Server 019-1410/2009-08-15 Contents Administration Tools Enhancing SecurityInstallation and Deployment Initial Server Setup Ongoing System Management Monitoring Your System Push Notification Server IndexContents About This Guide What’s in This GuideUsing Onscreen Help To see the most recent server help topicsDocument Road Map Getting StartedPreface About This Guide Getting Documentation Updates Getting Additional InformationSystem Requirements for Installing Mac OS X Server StandardsWhat’s New in Mac OS X Server ÂÂ iCal ServerWhat’s New in Server Admin Understanding Server Configuration MethodsSnmp NFS Supported Standards RadiusSystem Overview and Supported Standards System Overview and Supported Standards Mac OS X Server’s Unix Heritage Planning Server Usage Determining Your Server NeedsDetermining Whether to Upgrade or Migrate Setting Up a Planning TeamIdentifying Servers to Set Up Determining Services to Host on Each ServerPlanning Server Usage Defining an Integration Strategy Defining a Migration StrategyMigrating from Windows Defining Server Setup Infrastructure Requirements Defining Physical Infrastructure RequirementsSetting up basic server infrastructure Making Sure Required Server Hardware Is Available Minimizing the Need to Relocate Servers After SetupDefining Backup and Restore Policies Understanding Backup and Restore Policies Understanding Backup Types Understanding Backup Scheduling Understanding RestoresOther Backup Policy Considerations Defining a Backup Verification MechanismCommand-Line Backup and Restoration Tools Understanding Time Machine as a Server Backup ToolÂÂ Remote Access Settings ÂÂ Software Update ÂÂ Wiki ÂÂ XgridServer Admin Opening and Authenticating in Server AdminServer Admin Interface M NCustomizing the Server Admin Environment Server Assistant Server Assistant is used forServer Preferences Workgroup ManagerWorkgroup Manager Interface Server Monitor Customizing the Workgroup Manager EnvironmentFor additional information, see Server Monitor Help ICal Service Utility ICal Service Utility InterfaceSystem Image Management Media Streaming ManagementServer Status Widget Command-Line ToolsRAID Admin Xgrid Admin Podcast Capture, Composer, and ProducerApple Remote Desktop Enhancing Security About Physical SecurityNetwork DMZ About Network SecurityFirewalls and Packet Filters VLANs MAC FilteringTransport Encryption Payload EncryptionAbout File Encryption About File SecurityFile and Folder Permissions About Authentication and Authorization Secure DeleteYou have several options for authenticating users ÂÂ Secure Shell SSHSingle Sign-On About Certificates, SSL, and Public Key Infrastructure Public and Private KeysCertificates About Certificate Authorities CAsAbout Intermediate Trust About IdentitiesAbout Self-Signed Certificates From the command line Certificate Manager in Server AdminTo configure clients to trust a certificate Enhancing Security Readying Certificates To create a self-signed certificate Creating a Self-Signed CertificateRequesting a Certificate from a Certificate Authority To request a signed certificateCreating a Certificate Authority To create a CAEnhancing Security To create a certificate for someone else Using a CA to Create a Certificate for Someone ElseImporting a Certificate Identity To import an existing OpenSSL style certificateManaging Certificates Editing a CertificateTo distribute your certificate to your clients Distributing a CA Public Certificate to ClientsDeleting a Certificate To delete a certificateReplacing an Existing Certificate Using CertificatesRenewing an Expiring Certificate To renew an expiring certificateSSH and SSH Keys Key-Based SSH LoginTo do this, run the following commands in Terminal Generating a Key Pair for SSHKey-Based SSH with Scripting Sample Administration Level Security Setting Administration Level PrivilegesTo set Sacl permissions for a service Service Level SecuritySetting Sacl Permissions Security Best Practices Password Guidelines Creating Complex Passwords Gather your information Installation OverviewConfirm you meet the requirements Start the installer Set up the environment Start up the computer from an installation disk Prepare the target disk Set Up Services Gathering the Information You NeedConnecting to the Directory During Installation Setting Up Network ServicesAbout the Server Install Disc SSH During InstallationAdministration Tools CD Preparing an Administrator ComputerMac OS X Server Install Disc Before Starting Up About Starting Up for InstallationTo install Mac OS X Server v10.6 administration tools Starting Up from an Alternate Partition Starting Up from the Install DVDTo start up the computer with the installation disc To create an image of the Install DVD Create a restorable image of the Install DVD Restore the image to the alternate partition Prepare the disks and partitions on the target computerTo restore the image to a free volume Remotely Accessing the Install DVD To access the computer with Server AssistantTo access the computer with SSH To access the computer with VNCTo access the computer using Screen Sharing Identifying Remote Servers When Installing Mac OS X Server Identify the target serverStarting Up from a NetBoot Environment Start up the computer from the NetBoot server Preparing Disks for Installing Mac OS X Server Create a NetInstall image from the Install DVD To create a NetInstall image from the Install DVDChoosing a File System ÂÂ Mac OS Extended Journaled, Case-Sensitive aka HfsxAbout Hard Disk Partitioning To partition a disk using Disk Utility Partitioning a DiskSo the command is About Creating a RAID SetTo create a RAID set using Disk Utility You cannot create a RAID set from the startup diskDiskutil createRAID mirror setName format device device Installing Server Software Interactively For exampleInstalling Locally from the Installation Disc To install server software locallyInstalling Remotely with Server Assistant To install on a remote server by using Server AssistantInstalling Remotely with Screen Sharing and VNC Changing a Remote Computer’s Startup Disk To change a remote computer’s startup diskTo use installer to install server software 105 More Interactive Methods of Installation Installing Multiple ServersMost Efficient Methods of Installation How to Keep Current Upgrading a Computer from Mac OS X to Mac OS X ServerInformation You Need Postponing Server Setup Following InstallationTo postpone setting up Mac OS X Server About Settings Established During Initial Server Setup Connecting to the Network During Initial Server SetupConfiguring Servers with Multiple Ethernet Ports Specifying Initial Open Directory Usage ÂÂ Create Users and GroupsÂÂ Import Users and Groups Not Changing Directory Usage When UpgradingÂÂ Configure Manually Setting Up a Server as a Standalone Server Binding a Server to Multiple Directory ServersSetting up Servers Interactively To interactively connect to an additional directory serverTo set up servers interactively Select the target servers from the configuration listUsing Automatic Server Setup Creating and Saving Setup Data To create a setup data file Using Encryption with Setup Data Files How a Server Searches for Saved Setup Data FilesSetting Up Servers Automatically Using Data Saved in a File Restart the remote server To use setup data from a file remotelyCreate the saved setup folder on the remote server To set the server serial numberHandling Setup Errors To change services to administer Setting Up ServicesAdding Services to the Server View From the command-lineSetting Up All Other Services Setting Up Open DirectorySetting Up User Management To set up a user accountComputers You Can Use to Administer a Server Setting Up an Administrator ComputerUsing a Non-Mac OS X Computer for Administration Insert the Mac OS X Server Admin Tools CDUsing the Administration Tools Working with Pre-v10.6 Computers from v10.6 ServersPorts Used for Administration Ports Open By DefaultServer Admin Basics Adding and Removing Servers in Server AdminTo create a server group Grouping Servers Using Smart GroupsGrouping Servers Manually Working with Settings for a Specific Server To create a server smart groupToolbar button Shows 132 Understanding Mac OS X Server Names ÂÂ Directory Service ÂÂ Firewall ÂÂ Mobile AccessÂÂ NetBoot Directory Service and Kerberos DhcpFirewall Mobile Access Proxy ServicesNetBoot ÂÂ MySQL WebWiki Certificates for Web and Wiki ServicesMySQL 138 Imap and POP Certificates for Mail ServicesÂÂ Certificates for collaboration services Mailing ListIChat Service Address Book ServiceICal Service Certificates for Collaboration Services To change the IP address of the Podcast Producer computer To change the DNS name of the Podcast Producer computerPush Notification Software Update ServerPrint XgridChanging the Server’s Computer Name and the Local Hostname Changing the Server’s DNS Name After SetupChanging the IP Address of a Server To change the DNS nameTo change computer name and local hostname Administering ServicesFrom the command line To add or remove a service in Server Admin Adding and Removing Services in Server AdminImporting and Exporting Service Settings To export service settingsControlling Access to Services To configure service access SACLsUsing SSL for Remote Server Administration Managing SharingTiered Administration Permissions To assign permissions Defining Administrative PermissionsWorkgroup Manager Basics Working with Users and Groups Administering AccountsOpening and Authenticating in Workgroup Manager 152 Defining Managed Preferences Working with Directory Data To display the inspectorAssistants are available for the following services Service Configuration AssistantsCritical Configuration and Data Files GeneralIChat Server Firewall ServiceMail Service Mail-POP/IMAP Server DovecotMySQL Service NAT ServiceQuickTime Streaming Server OpenDirectory ServiceNotifications Tomcat App ServerEliminating Single Points of Failure Improving Service AvailabilityWeb Service Wiki and Blog ServerUsing Xserve for High Availability Using UPS with Xserve Setting Up Your Server for Automatic RestartUsing Backup Power Following is the Energy Saver panel of System PreferencesProviding Open Directory Replication To enable automatic restartEnsuring Proper Operational Conditions Automatic restart options areLink Aggregation About the Link Aggregation Control Protocol Lacp Link Aggregation ScenariosComputer to Switch Setting Up Link Aggregation in Mac OS X Server To create a link aggregateMonitoring Link Aggregation Status To monitor the status of a link aggregateLoad Balancing Daemon Overview Using launchd for Daemon ControlÂÂ mDNSresponder local network service discovery process Viewing Running Daemons170 Planning a Monitoring Policy Planning Monitoring ResponseTo configure the Server Status widget Using with Server Status WidgetUsing Server Monitor Using Disk Monitoring Tools Using RAID Admin for Server MonitoringUsing Console for Server Monitoring Using Network Monitoring Tools To set a notification Using Server Status Notification in Server AdminMonitoring Server Status Overviews Using Server Admin To see a status overview for one serverUsing Remote Kernel Core Dumps Following shows a sample Overview pane for a single server177 Setting Up a Core Dump Server Setting up a core dump serverRestart the computer for the settings to take effect Setting Up a Core Dump ClientSetting up a core dump client Configuring Common Core Dump Options About Simple Network Management Protocol SnmpEnabling Snmp reporting Configuring snmpdTo enable Snmp Restart snmpd to take changes To enable and configure Snmp Customize data Tools to Use with Snmp About Notification and Event Monitoring DaemonsAdditional Information about Snmp There are two main notification daemons syslogd and emond Logging SyslogOpen Directory Logging Directory Service Debug LoggingSyslog Configuration File To start debugging at startupAFP Logging To enable client-side loggingAdditional Monitoring Aids To run slapd in debugging modePush Notification Server About Push Notification ServerTo enable Push Notification Starting and Stopping Push NotificationTo change the existing push notification server Changing a Service’s Push Notification ServerClick Save, then restart the service Index 192 193 194 195 196 197