Network and Storage Protocols

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Network and Storage Protocols

Ask a Question

Homedir ACL to everyone, is it safe?

Lardossan
‎2016-02-17 12:56 PM
2,385 Views
Hi everyone,

We're implementing netapp homedir and we want to use dynamic CIFS home directories (%w)

If all NT user's homedir have the everyone ACL. Security wise, is it the safe to assume no one can hop into other's homedir?
0 Kudos
View By:
1 ACCEPTED SOLUTION

mbeattie
NetApp
‎2016-02-17 04:38 PM
2,364 Views

Hi,

 

Please see the following KB article:

 

https://kb.netapp.com/support/index?page=content&id=1015284&locale=en_US

 

The default CIFS share ACL will be set to "Everyone - Full Control" however you should then restrict the NTFS permissions to each users home directory (sub folder within volume\qtree) to their individual Active Directory user account (and I'd recommend including an administrative group in the NTFS permissions for the purpose of data restores).Also keep in mind that the default permissions the FlexVol will be everyone - Full Control so I'd recommend restricting this to an administrative group before creating qtrees, CIFS Shares or copying any data to the volume.

 

As NTFS permissions are derived from the combination of the CIFS Share and NTFS permissions, the most restrictive configuration will apply. So assuming you set NTFS permissions appropriately on each users home directory folder this will prevent a user from accessing another users home directory (even if you leave the default CIFS Share ACL as "Everyone - Full Control").

 

It's also worth noting that if you want to grant users full control access to their home directory data then the CIFS Share ACL needs to be set to "full control", not "change" as setting it to "change" would limit the users effective NTFS permissions to Modify. If you want to change the default Share permissions to use something other than "Everyone" then consider applying the "Authenticated Users" or "Domain Users" group instead.

 

Please let me know if you have any questions?

 

/matt

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

1 REPLY 1

mbeattie
NetApp
‎2016-02-17 04:38 PM
2,365 Views

Hi,

 

Please see the following KB article:

 

https://kb.netapp.com/support/index?page=content&id=1015284&locale=en_US

 

The default CIFS share ACL will be set to "Everyone - Full Control" however you should then restrict the NTFS permissions to each users home directory (sub folder within volume\qtree) to their individual Active Directory user account (and I'd recommend including an administrative group in the NTFS permissions for the purpose of data restores).Also keep in mind that the default permissions the FlexVol will be everyone - Full Control so I'd recommend restricting this to an administrative group before creating qtrees, CIFS Shares or copying any data to the volume.

 

As NTFS permissions are derived from the combination of the CIFS Share and NTFS permissions, the most restrictive configuration will apply. So assuming you set NTFS permissions appropriately on each users home directory folder this will prevent a user from accessing another users home directory (even if you leave the default CIFS Share ACL as "Everyone - Full Control").

 

It's also worth noting that if you want to grant users full control access to their home directory data then the CIFS Share ACL needs to be set to "full control", not "change" as setting it to "change" would limit the users effective NTFS permissions to Modify. If you want to change the default Share permissions to use something other than "Everyone" then consider applying the "Authenticated Users" or "Domain Users" group instead.

 

Please let me know if you have any questions?

 

/matt

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
All Community Forums
Public