cc11

licoricebedsSecurity

Feb 22, 2014 (3 years and 8 months ago)

78 views

Paul Sherman

Na Li

Just Enough

SAS

to Identify Yourself in
a

Networked World

www.idiom.com /
~
sherman / paul / pubs / netcmd

Article & Slides:

Overview


What’s wrong with networking


Topology


Authentication Process


Pitfalls


The
net.exe

command


Example


A %netauth utility macro

What’s Wrong With Networking


Permission denied.


Access is denied.


Lost connection
( Re
-
boot and forget to re
-
map? )


But it runs on my local PC!

The Network is Your Friend


Time, Share & Use


in a single command


%sysexec()


x
” gets you to DOS prompt


Everything has a UNC path:




Tell
%netauth()

whenever you need to
CONNECT

or
DISCONNECT

a remote host

Host

name

Share

name

file system

path

\
\

\

\


Typical of many large corporate intranets


Managed centrally


Easier to administrate


Synonymous access to all hosts

Domains

CRFPROT

SAFETY

BIOMETRIC

EFFICACY

JLO

JEFF

MARY

codcor.psug.org

CODCORDC01

PDC

Network Topology


Small labs and home offices


Managed individually


Cumbersome to administrate


Easier to develop applications within


Less prone to system
-
wide failures

Workgroups

CRFPROT

SAFETY

BIOMETRIC

EFFICACY

JLO

JEFF

MARY

Network Topology


Client contacts Domain Controller (DC)


DC forwards request to host


Host responds to DC with accept or deny


DC grants access to Client


Client & Host can now communicate

The Authentication Process

The Authentication Process

CLIENT

HOST

DOMAIN

CONTROLLER

PDC



auth



request



respond



proceed



grant

CLIENT

HOST



auth



grant



proceed

Workgroup

Domain

A Word About Scope

Get Close

Pitfall #1

A Word About Scope

Mary

SAFETY

CRFPROT

John’s code

(a) Fails


(b) Writes output where it doesn’t belong


(c) All of the above

copy g:
\
raw.sd2 c:
\

copy c:
\
ae.prn g:
\

copy g:
\
marydat.sd2 c:
\

C:
\
user
\
john
\
sas

G:

C:
\
user
\
mary
\
sas
\
dev

map G:

map G:

marydat.sd2

marydat.sd2

raw.sd2

ae.prn

ae.prn

raw.sd2

John

Pitfall #1

More Words of Scope


Network resources are global to
all users


Avoid absolute drive letter mappings


Use “UNC” path references, always

net use
\
\
safety
\
c$
\
user
\
john
\
sas

/user:john j

net use
\
\
safety
\
c$
\
user
\
mary
\
sas
\
dev

/user:mary m

John:

Mary:

Pitfall #1

auth. Jeff

auth. Melissa

Credential Conflict

Jeff

Read & Write

net use
\
\
crfprot
\
ib /user:jeff j

net use
\
\
crfprot
\
ib /user:melissa m

This set of credentials conflicts
with an existing set of credentials

CRFPROT

Read
-
only

BIOMETRIC

Melissa

Pitfall #2

Avoiding

Credential Conflict


Schedule remote jobs synchronously, or


Use dotted
-
decimal addressing

net use
\
\
crfprot
\
ib /user:jeff j

net use
\
\
1.2.3.4
\
ib /user:melissa m

ping

the host to find its dotted
-
decimal address

Pitfall #2

The Case of the Wrong Case

Jeff

net use
\
\
biometric
\
patprof
\
peopledata /user:jeff j

BIOMETRIC



123
-
45
-
6789.doc



Be careful with case in Auth & Usage !

Permission Denied

copy
c:
\
123
-
45
-
6789.doc

\
\
biometric
\
PatProf
\
PeopleData

Pitfall #3

Networking “Best Practice”


Separate “Auth” and “Usage” tasks


Assert credentials with
IPC$

virtual share


Work with remote host as normal


De
-
auth the
IPC$

share when finished

net use
\
\
safety
\
ipc$

/user:melissa m

copy
\
\
safety
\
ae
\
x.prn
\
\
safety
\
lab
\
x.prn

del
\
\
safety
\
logs
\
myprog.txt

net use
\
\
safety
\
ipc$

/d

The
net.exe

Command


Part of Windows since Win95


C:
\
> net time

C:
\
> net view

C:
\
> net use


Check & Sync time

Query shares & volumes

Mount & Unmount drives

Synchronizing Time

John

EFFICACY

2:43 PM

3:06 PM

x ”
net time
\
\
efficacy.psug.org /set /y
”;

3:06 PM

Example

Learning to Share

Mary

EFFICACY

net view
\
\
efficacy.psug.org

demog

survival

response

Example


Send message at start & end of remote work


Be careful with case of host, share and path

Using
%netauth()

%netauth(
CONNECT
)
;

x “net time
\
\
host /set /y”;

x “copy c:
\
sas
\
work
\
out
\
*.gif
\
\
host
\
web
\
Charts”;

libname inlib “c:
\
sas
\
work
\
lib”;

libname outlib “
\
\
host
\
web
\
SASLib”;

proc datasets; copy inlib outlib; run;

libname outlib clear;

libname inlib clear;

%netauth(
DISCONNECT
)
;

How
%netauth()

Works

%macro netauth( mode )
;


%local
domain_a ua pa

domain_b ub pb
;


%let domain_a=
ddd
; %let ua=
uuu
; %let pa=
ppp
;


%let domain_b=
ddd
; %let ub=
uuu
; %let pb=
ppp
;


options xsync noxwait;


%if %trim(%upcase(&mode.)) eq CONNECT %then %do;


x “
net use
\
\
crfprot
\
ipc$ /user:&domain_a.
\
&ua. &pa.
”;


x “
net use
\
\
safety
\
ie /user:&domain_b.
\
&ub. &pb.
”;


%if %trim(%upcase(&mode.)) eq DISCONNECT %then %do;


x “
net use
\
\
crfprot
\
ipc$ /d
”;


x “
net use
\
\
safety
\
ie /d
”;


%end; %else %do;


put ERROR: bad &mode. Expected CONNECT or DISCONNECT);


%end;

%mend;

Very important

Conclusion


Manage & control remote hosts with
net.exe


Authenticate


What you need


When you neet it


Never longer than necessary


Never use drive letters!


UNC paths are Linux
-
compliant, too


Be careful with case

More Info …


Microsoft Knowledge Base

219898


“How the Bad Password Count is Incremented in
Windows NT”

314984


“How to create and delete hidden or administrative
shares on client computers”


Na Li

“Applications for Running DOS Commands within SAS”

PharmaSUG 2005, Posters, PO
-
13.

About the Speakers

Speaker




Telephone


E
-
Mail


Web

Site

Na Li

Sr. Project Analyst



(408) 990
-

7293


nli @ pcyc.com


www.idiom.com /
~
sherman / paul / pubs / netcmd

Paul D Sherman

Electrical Engineer



(408) 383
-

0471


sherman @ idiom.com