4.3 File Server Security
Secure Copy Protocol (SCP)
SCP uses Secure Shell version 1 (SSH1) to secure file transfers and login credentials.
Network-attached storage (NAS)
A standalone storage device or appliance that acts as a file server.
Shared Folder
A folder whose contents are available over the network.
Storage Area Network (SAN)
A special network composed of high-speed storage that is shared by multiple servers.
Data Transfer Security Protocols
The following table describes considerations for securing file transfer using TCP/IP protocols:
File Server Resource Manager (FSRM)
With Windows Server 2008 and later, you can use FSRM to control files saved on a file server. > Quotas limit the amount of data that can be saved within a folder. A hard limit prevents exceeding the quota limit, while a soft limit sends a message when the limit is exceeded. > File screen restrict the type of files that can be saved in a folder. For example, you can prevent media files (audio or video) or files with specific file extensions from being saved. An Active File screen prevents saving the specified file types, while a Passive Screen monitors when the specified file types are added to the folder.
Storage Area Network (SAN)
A SAN is a special network composed of high-speed storage that is shared by multiple servers. A SAN is typically a separate network that only file servers attach to. Security for a SAN is provided by the following: > Logical Unit Number (LUN) masking identifies devices that are allowed to attach to a logical unit. > SAN zoning groups SAN devices and servers into security zones. Only devices within the security zone can access data on the storage unit. > The Fibre Channel Authentication Protocol (FCAP) provides a method for mutual authentication of devices within the SAN. *SANs are typically more secure than NAS solutions
Shared Folder
A folders whose contents are available over the network. > An administrative share is a shared folder that is available only to an administrative user. > Administrative shares are hidden. This means that the share will not display when a user browses a network computer. > By default, the root of every drive is an administrative share. > In Windows, you can create hidden shares by appending a $ to the end of the share name (for example, DataFiles$). > Users must know the name of the share to access it, as well as, have the appropriate access permissions. > Do not share the root directory with regular users.
Secure Shell File Transfer Protocol(SFTP)
SFTP is a file transfer protocol that uses Secure Shell version 2 (SSH2) to secure data transfers. SFTP is not FTP that uses SSH, but rather a secure transfer protocol that is different from FTP.
When managing the security of the file system, be aware of the following:
> The transfer of files between a client and a server is often unsecured. Use IPSec or a VPN between the server and the client to secure data as it travels through the network. > File and print resources are primarily vulnerable to denial-of-service (DoS) and access attacks. > Attacks on file servers are often directed against the NetBIOS protocol. To protect the server, verify that NetBIOS is not required on the server, disable the NetBIOS protocol on the server, and use a host-based firewall to close NetBIOS ports 135 and 137-139.
As you study this section, answer the following questions:
> How can you identify inherited permissions? > How do Share and NTFS permissions differ? > On which elements can NTFS permissions be set? > How can you view the users who have permissions for a particular drive? In this section, you will learn to: > Configure NTFS permissions. > Disable inheritance.
Big Data Storage
In modern network environments, many organizations must store extremely large amounts of data, referred to as big data. Be aware of the following regarding big data: > The size of the dataset can be measured in exabytes. > Big data can be analyzed to provide a wealth of information. Businesses use big data to identify business trends, create computer models, and isolate network attacks. > The data set is so large that it is usually stored on NAS or SAN devices. > The key problem associated with big data is that the data set can become so large that it can no longer be managed.
NTFS
NTFS permissions: > Can be set on drives, folders, and files. > Control both local and network access. > Have dozens of permissions that offer granular control over what actions are allowed. > Can be set only on volumes formatted with NTFS.
Secure FTP
Secure FTP (also known as FTP over SSH) tunnels FTP traffic through an SSH tunnel.
File System Security
Tasks to secure file servers include: > Prevent physical access > Implement the principle of least privilege > Use full-disk encryption on backups > Implement strong authentication > Remove unnecessary software and disable unused services > Use implicit deny access control lists (ACLs) > Use hidden folders and files > Audit the file system
Share
> Share permissions control access through a network connection with the file server. > If files are accessed locally, share permissions do not control access. > Share permissions have three levels of permissions: - Reader (read only) - Contributor (read and write) - Owner or Co-owner (full control, or all permissions) > Share permissions can be set only on a folder.
File Transfer Protocol(FTP)
Be aware of the following when using FTP: > Anonymous login (also known as blind or anonymous FTP) allows unrestricted access to the FTP server. Disable anonymous login to control access based on username. > The username and password are transferred in cleartext and can be captured in transit by a sniffer. To protect logon credentials, implement a secure protocol, such as Secure Socket Layer (SSL). > Use IPSec or a VPN tunnel to protect data transfers. > The write permission allows users to upload files to the FTP server. Carefully restrict which users have the write permission. > FTP uses port 21 for control information (such as logon) and port 20 for data transfer.
Managing File Systems Tips
Be aware that: > Both share and NTFS permissions use a discretionary access control list (DACL) for controlling access. The access list identifies the user of groups and their associated permissions to files or folders. > Both share and NTFS permissions include Allow or Deny permissions. Deny permission override Allow permissions. > Both share and NTFS permissions must be configured to allow access through the share. If a user is allowed share access but no NTFS permissions are set for the user or a group to which the user belongs, no access will be allowed. > Effective permissions to shared folders are the more restrictive of either share or NTFS permissions. > A user's effective permissions cannot be greater than the share permissions assigned to the user or a group to which the user belongs. For this reason, a common strategy for combining share and NTFS permission is to: - Assign co-owner share permissions to everyone. - Use NTFS permissions to control access. Use the principle of least privilege by assigning NTFS permissions only to the necessary grpi[s and by assigning only the necessary permissions to those groups. Even though Everyone has share permissions, only the users or groups with NTFS permissions will have access. > Permissions for folders and files can be inherited. On Windows systems, the Advance Security settings identify when permissions inheritance is in effect. > Whenever possible, assign permissions to groups, rather than users. Users receive the permissions assigned to their groups.
FTP Secure (FTPS)
FTPS adds SSL or Transport Layer Security (TLS) to FTP in order to secure logon credentials and encrypt data transfers. FTPS requires a server certificate.
4.3.3 File Permission Facts
Managing File System Permissions On a Windows system, access to files is controlled through two sets of permissions, share and New Technology File System (NTFS). The following table describes permissions specific to each type.
4.3.2 File System Security Facts
Managing the file system is a primary concern of IT professionals. The file system is responsible for storing and securing data. An organization depends on data and requires that it be secure and easily accessible. This lesson covers the following topics: > File system security > Big data storage > Data transfer security protocols
Network Attached Storage (NAS)
NAS is a standalone storage device or appliance that acts as a file server. Be aware of the following: > The NAS device is connected to the same network as all other network devices. Therefore, it is exposed to attacks from all network hosts. > NAS devices typically use standard protocols for file sharing. Because standard protocols are well-known, they are subject to attacks. > The NAS device often has a limited operating system capable of sharing files and controlling access to those files using access control lists (ACLs). > NAS administration should be secured with a strong password and strong authentication.
4.3.5 Configure NTFS Permissions Lab
Required Actions > Edit permissions for the E:\Marketing Data Folder - Disable permission inheritance for the folder - Convert existing permissions - Do not assign permissions to the Users group - Add the Marketing group to the access control list - Assign Marketing Full Control permissions - Do not assign explicit permissions to other users or groups > Edit permissions for the E:\Research Data Folder - Disable permission inheritance for the folder - Convert existing permissions - Do not assign permissions to the Users group - Add the Research group to the access control list - Assign Research Full Control permissions - Do not assign explicit permissions to other users or groups Complete this lab as follows: 1. Open the Data (E:) drive. a. From the Windows taskbar, select File Explorer. b. From the left pane, expand and select This PC > Data (E:) 2. Disable inheritance and convert inherited permissions to explicit permissions. a. From the right pane, right-click the applicable folder and then select Properties. b. select the Security tab. c. Select Advanced to modify inherited permissions. d. Select Disable inheritance to prevent inherited permissions. e. Select Convert inherited permissions into explicit permissions on this object. 3. Remove the Users group from the access control list. a. In Permission entries, select Users. b. Select Remove to remove the group from the access control list. c. Select OK. 4. Add a new group to the access control list and allow Full Control. a. Select Edit to add a group to the access control list. b. Select Add. c. Enter the name of the group you want to add and then select Check Names. d. Select OK. e. With the newly added group selected, under the Allow column, select Full Control and then select OK. f. Select OK to close the properties dialog. 5. Repeat steps 2 - 4 to modify the permissions for the additional folder.
4.3.6 Disable Inheritance Lab
Required Actions > Grant the Managers group Allow Full Control to D:\Personnel > Prevent inherited permissions on the D:\Personnel folder. - Disable inheritance - Remove all inherited permissions from the folder. Complete this lab as follows: 1. Open the Data (E:) drive. a. From the Windows taskbar, select File Explorer. b. From the left pane, expand and select This PC > Data (D:). 2. Configure NTFS permissions. a. From the right pane, right-click Personnel and select Properties. b. Select the Security tab. c. Select Edit. d. Select Add. e. Enter Managers as the group that will receive permission to the folder. f. Click OK. g. With the Managers group selected, select the appropriate Full control. h. Click OK. 3. Prevent inherited permissions from parent. a. On the Security tab, select Advanced. b. Select Disable inheritance. c. Select Remove all inherited permissions from this object. d. Click OK to close the Advanced Security Settings for Personnel dialog. e. Click OK to close the Properties dialog.
Trivial File Transfer Protocol (TFTP)
TFTP provides no authentication, encryption, or error detection. In addition, TFTP uses UDP instead of TCP. TFTP might be faster than FTP, but it does not perform error detection, so it could result in file errors.