- Challenges of File Sharing
- Different Protocols for Different Clients
- Planning File Services
- Using Apple Filing Protocol
- Configuring Apple File Service
- Monitoring AFP Activity
- Using Windows File Service
- Configuring Windows File Service
- Configuring Access and Starting Windows File Services
- Using NFS Share Point Access
- Configuring NFS
- Using FTP File Service
- Configuring FTP Service
- Network-Mounted Share Points
- Preparing for a Network Home Folder
- Configuring Network Mounts
- Controlling Access to Shared Folders
- Troubleshooting File Services
- What Youve Learned
- References
- Chapter Review
This chapter is from the book
This chapter is from the book
This chapter is from the book
Controlling Access to Shared Folders
In many cases, you won’t want everyone to have access to your file services. There are a few simple steps that can be followed to greatly increase the security of your file server.
Reduce the Number of File-Sharing Services
First and foremost is reducing the number of services itself. Every service that’s running on your server represents a potential point of entry for an unwanted visitor. Reducing the number of services on your server will also reduce this risk. For example, if you have only Mac OS X computers connecting to your server, you probably don’t need the SMB or FTP services running. Similarly, if you’re only providing services to Windows computers, the AFP and FTP services likely won’t be used and can be stopped. In most cases, the FTP service should only be used when you need to provide access to the broadest set of computers external to your organization.
Remove Guest Access for Every Share Point
The next thing to consider is guest access. If you are sharing files only with members of your organization who have accounts on your server, or if everyone is bound to the same directory server, you should consider removing guest access. Remember that there are a few places you can set this. Follow these steps to remove guest access for every protocol on every share point:
- Open Server Admin and connect to your server.
- Click the File Sharing button in the toolbar.
- Click the Share Points button just below the toolbar.
- Select a share point.
- Click the Share Points pane in the bottom half of the window.
- Click the Protocol Options button.
A dialog will appear with options for each of the protocol options that apply to that share.
- For each protocol, deselect “Allow guest access.”
- Click OK.
- Click Save.
- Repeat for every share point on your server.
Remove Guest Access for Each Protocol
Remove guest access for each protocol itself. Though disabling guest access for each share point, or for the entire protocol itself, will accomplish what you’re looking for, it’s best to disable it in both places to minimize the risk of reactivation.
- In Server Admin, click the AFP service in the left column.
- Click the Settings button in the toolbar.
- Click the Access tab.
- Deselect “Enable Guest access.”
- Click Save.
- Repeat the same steps for the FTP and SMB services.
Set Up SACLs
Review who has access to connect to each of your file-sharing services. This access is controlled through the use of SACLs, a topic described in more detail in Chapter 2, “Authenticating and Authorizing Accounts.” SACLs require explicit permission to connect to your file server. Each user, or a group the user belongs to, will need to be registered as being allowed to use a given service. You can set up SACLs using these steps:
- In Server Admin, select your server name in the left column.
- Click Access in the toolbar.
- Select the services you wish to restrict.
- Determine which users and/or groups should have access to that service.
- Click Save.
Once complete, review the file system permissions on the folders that are your share points. The permissions of the folders that are your share points will control what share points are listed on the client when they connect to your server. In many cases, you should also review the permissions of the enclosed folders because a larger group will often have access to the share point than will have access to all of its subfolders.