File Sharing Security on the hp surestore netstorage 6000 White Paper Copyright © 2000 Hewlett-Packard Company All Rights Reserved Page 1 of 28
Table of Contents 1 Introduction __________________________________________________ 4 2 Security on UNIX Networks ______________________________________ 4 2.1 General Overview ___________________________________________ 4 2.2 Restricting User Access ________________________________________ 5 2.3 Restricting Host Access ________________________________________ 6 2.4 Considerations for the HP NetStorage 6000 _________________________ 6 2.4.1 2.4.2 2.4.
7 8 9 Examples___________________________________________________ 24 7.1 Client with both UNIX and Windows Account________________________ 24 7.2 UNIX File Accessed by Windows Clients ___________________________ 25 7.3 Windows File Accessed by UNIX Clients ___________________________ 26 File Format Details ____________________________________________ 27 8.1 HP NetStorage 6000 Files - passwd, group, users.map, group.map_________ 27 8.2 UNIX Files - passwd.nis and group.
1 Introduction One of the most important aspects of serving data to clients over a network is the security mechanisms employed by the server to protect the data from accidental or malicious tampering. The HP NetStorage 6000 is a (NAS) Network Attached Storage Device with capabilities to serve files to Windows clients and UNIX/Linux clients using the native file serving protocol of each client.
2.2 Restricting User Access All users on UNIX systems must perform a logon sequence before gaining access to the system. The logon involves entering an appropriate name and password at the logon prompt. Once the logon data is entered, the system searches the local passwd file for a matching entry. If a match is found, then the user is granted access, and is assigned two 16 bit numeric identifiers that are associated with the user.
2.3 Restricting Host Access Since NFS servers do not distinguish between computers that are part of a secure network infrastructure (complete with NIS centralized administration), and computers that exist outside of the sphere of administrator control, a mechanism is needed to protect servers from unauthorized access. In typical UNIX installations, NFS mount points on servers are listed in the /etc/exports file.
The administrator may declare Trusted Hosts using the web based administration tool, or the telnet administration tool of the HP NetStorage 6000. 2.4.2 The /etc Directory It is necessary to maintain a number of system files on the HP NetStorage 6000 in an accessible place for administrative purposes.
host pattern This field has the name of a host or group of hosts that have access rights. Host names must be resolvable through the local /etc/hosts file, the NIS hosts file, or through DNS. Groups of hosts are specified in the /etc/hostgrps file. If the host pattern is the name of a group, then it must be preceded by the @ symbol. The wildcard character ( * ) may be used to specify all hosts. rights This field specifies the access limits to apply.
The following sections explain these security modes in more detail. 3.2 Share Level Security Share Level security is the simplest SMB security mode to use, but offers the least security. In this mode, each share may be protected by a password. When the server administrator defines a new share, a password is specified to protect the share from unauthorized access. When a user first accesses the share, the user is prompted for the password.
Under User Level security, each computer on the network is responsible for authenticating users, before the user is allowed to access the resources on that computer. Once a user is authenticated on a computer, a session is established with the user. Thus, the user will not need to be authenticated again during that session. This not only applies to users accessing machines directly (interactive logon), but also to users accessing resources on remote servers (remote, or network logon).
arrows between the domains represent the trust relationship between the domains. The domain that trusts another domain has an arrow pointed at the domain it trusts. A Account Domain Trust Relationships X Y Z Resource Domains Figure 1. Master Domain Model Another common architecture is to have one or more domains configured as resource domains, and multiple domains configured as account domains. All of the resource domains are then configured to trust all of the account domains.
All NT workstations and servers on a network must be provided a machine account in order to participate in a domain. Machine accounts are established for NT machines by the domain administrator when the system is configured and added to an NT domain. The account is then used by the NT system to logon to the network (the NT domain) every time the computer boots up. In the Master Domain architectures discussed above, the machine accounts would reside in one of the resource domains.
3) The domain controller in domain A will examine the request to see if the account is associated with the domain. If it is, then it will authenticate the user and pass back the result. 4) If the account is with another domain (domain B), then domain A will verify that it has a trust relationship with domain B. If a trust relationship does exist, then the request is passed onto a domain controller in domain B for verification.
When a client attempts to logon to a server on a network (known as remote logon or network logon), the client is given a 16-byte challenge (or "nonce"). If the client is a LAN Manager client, the client computed a 24-byte challenge response by encrypting the 16-byte challenge with the 16-byte LAN Manager OWF password. This is the algorithm used by LAN Manager. The LAN Manager client passes this "LAN Manager Challenge Response" to the server.
that is used to keep a log of security events (such as who accesses which files) and to generate and log security audit messages. Each ACE contains a security ID and an access mask. The SID identifies the user or group to be associated with the entry, and the access mask defines the type of access allowed or denied. The access mask varies for different object types. In general, they include Standard types, Specific types, and Generic types.
Note: If the object has no DACL, also known as a NULL DACL, the object has no protection and access is granted to everyone. On the other hand, if the object has a DACL with no entries in it (termed an empty DACL), no accesses are specifically granted, so access is implicitly denied to everyone. In all cases, the owner of an object can modify the permissions of the object, regardless of the status of the DACL. 3.4 Considerations for the HP NetStorage 6000 3.4.
q The HP NetStorage 6000 is designed to authenticate users directly with the appropriate NT account domain. It does not pass authentication requests through it’s own resource domain. This allows the HP NetStorage 6000 to participate on networks where the user accounts are separated from the NT resources (Master Domain model), as well as on networks where user accounts and resources are contained in a single domain.
object via UNIX (chmod or chown commands) and have the object become a UNIX object since this could potentially weaken the access control that protects these objects. In order for clients to share files across Windows and UNIX protocols, it is necessary to establish their credential equivalence in each protocol. With this equivalence established, clients can access the files without regard to their current working environment as the owner, member of a group, or as part of the Everyone or Other account.
File Volume Name Finance Marketing Procurement Research & Development File Volume Access Windows only; no UNIX access Windows & UNIX access Windows & UNIX access UNIX access only Password Restrictions Read access only Read & write access for Windows; Read access for UNIX No passwords Read and write access In this example, clients using either a Windows or UNIX protocol can access Marketing and Procurement files.
§ Group name mapping - groups have equivalent UNIX and NT credentials if the primary group name associated with an NT account is the same as a group defined for UNIX accounts. 5.2.1 User Mapping There are two ways that a HP NetStorage 6000 user can obtain a UID. In the first case, the user has a UNIX account and the administrator has elected to do some type of mapping - either by user logon name or full name mapping.
The mapping that occurs between clients is done using several files that must be maintained if file security and user credentials are to be established and maintained. For example, the NIS database files will refresh automatically every 5 minutes. However, the passwd and group files are maintained using the HP NetStorage 6000 GUI interface. 6.1 Mapping Files The following table shows the files that are employed for assigning UID, GID values and creating the association between clients.
value, this file is consulted to match the NT primary group with a UNIX group name. This file is also used to generate an ACL display list for Windows users for UNIX files. The files that contain the association between the clients in Windows and UNIX are the following. File Information Purpose Users.map File Name UNIX username, UID, NT username, NT domain, NT relative ID (RID) Group.
If any type of user mapping has been selected then additional checks are made. If user name mapping has been selected the passwd.nis file is scanned to determine if there is a UNIX user that has a logon name identical with the Windows client. Similarly if full name mapping has been selected the passwd.nis file will be scanned to determine if there is a UNIX client where the NT Windows full name matches the contents of the UNIX comment field which is frequently used for the users full name.
The passwd.nis file is consulted. No match is found. Established Windows Client With or without user mapping. Yes or No Since this is a new client no match is found so a UID and GID will be assigned by the HP NetStorage 6000 beginning with 60001 for the UID and GID. The appropriate entry will be made in the passwd file. The passwd file is searched.
HP NetStorage 6000 Configuration assumptions: • Administrator has established file volume permission so that both UNIX and Windows clients can access the file. • NIS server administration is used and enabled so that the passwd.nis file is populated with UNIX user account information • Administrator has selected user name mapping Client assumptions: • • • • Windows client created the file and is the owner of the file.
• Administrator has selected full user name mapping Client assumptions: • UNIX client created the file and is the owner of the file. • The Windows client is accessing the HP NetStorage 6000 for the first time • Windows full name matches the UNIX comment field exactly Files Scanned or Read Files Written passwd -no relevant entry Passwd.nis file is scanned and a match is made between the UNIX comment field and the NT logon full name. Users.
Files Scanned or Read Files Written Comments passwd Empire/msullivan:*:60004:101 ::: Windows client has been auto-assigned a UID value since they do not have a UNIX account. The auto-assigned UID is 60004 group No entry since the primary Windows group matches a UNIX group. passwd.nis -no relevant entry group.nis marketing:101:user1,user2,user 3 users.map group.map No entry. :101:m arketing:Empire:1077 The Windows client can access the file and view the permissions.
8.2 UNIX Files - passwd.nis and group.nis File Name passwd.nis File Format :::::: group.
