DOCUMENT:Q102608  31-AUG-1993  [W_NTAS]
TITLE   :Security Comparison: Windows NT vs. LAN Manager
PRODUCT :Microsoft Windows NT Advanced Server
PROD/VER:3.10
OPER/SYS:WINDOWS
KEYWORDS:

--------------------------------------------------------------------
The information in this article applies to:

  - Microsoft Windows NT Advanced Server version 3.1
--------------------------------------------------------------------

The following table lists the security differences between Windows NT
Advanced Server and LAN Manager.

   Windows NT Advanced Server        LAN Manager
   ----------------------------------------------------------------

1.  User and group permissions       Individual user permissions
    are cumulative. Deny access      take precedence over groups.
    takes precedence over grant
    access.

2.  Contains a domain controller     Contains a primary domain
    and servers. (All servers        controller, backup controllers,
    act as backup domain             member servers, and stand-alone
    controllers.)                    servers.

3.  An account and password must     Local security is optional, and
    be used to log on to a local     only supported on LAN Manager
    computer.                        servers.

4.  Trust relationships between      Trust relationships are not
    domains are supported.           supported.

    Supports a single network        Users must log on to each
    for all trusted domains.         domain separately.

5.  File and directory ownership     Ownership concept is not
    is supported. Owners can         supported.
    grant and deny access.

    Administrators may be denied     Administrators have access to
    access to resources they don't   all resources.
    own (they may take ownership,
    which creates an audit trail).

6.  System functions (such as        System functions are not
    setting system time and          protected.
    formatting the hard disk)
    are protected.

7.  Local and global groups are      Local groups are not recognized.
    recognized.

8.  Windows NT computers can only    LAN Manager computers can be
    be administered from other       administered from any MS-DOS,
    Windows NT computers.            UNIX, or OS/2 computer running
                                     LAN Manager, or from a Windows 
                                     NT computer.

9.  File and directory permissions   Permissions apply only to network
    apply to local and network       users, unless local security is
    users.                           implemented.


NOTES
=====

In #1 above, when Windows NT checks permissions, it does so in one
pass, not discriminating between users and groups. As soon as a "deny
access" permission is reached, the search is terminated and access to
the resource is denied. However, LAN Manager makes two passes when
checking resource permissions: a user pass and a group pass.
Therefore, it is possible that LAN Manager may deny a user access, but
then grant that user access if the user belongs to a group that has
access to a resource.

In #2 above, LAN Manager servers in a Windows NT Advanced Server
domain cannot act as primary domain controllers. They also can't
validate logon attempts by Windows NT or Windows NT Advanced Servers
or clients, but they do maintain a copy of the user accounts and can
validate logons by LAN Manager servers and clients in a mixed LAN
Manager and Windows NT domain.

In #3 above, users from outside a Windows NT Advanced Server/LAN
Manager domain will not be able to access the LAN Manager domain
resources unless a local account is created in the Networks option in
the Windows NT Advanced Server Control Panel. This is because LAN
Manager servers do not recognize global groups and trust
relationships.

The NET ACCESS command, which displays or changes a user's permissions
for a shared directory, is not a valid command in Windows NT Advanced
Server.

Additional reference words: 3.10

KBCategory:
KBSubCategry: ntadsrv

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 1993.