HP CIFS Server 3.0f Administrator's Guide verison A.02.03

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software

141

142

143

144

145

146

147

148

149

150

10 Securing HP CIFS Server

This chapter describes the network security methods that you can use to protect your HP CIFS Server. It

includes the following sections:

• “Security Protection Methods”

• “Automatically Receiving HP Security Bulletins”

Security Protection Methods

HP CIFS Server provides a flexible approach to network security and implements the protocols to support

more secure Microsoft Windows file and print services.

You can secure HP CIFS Server from connections that originate from outside the local network by using

host-based protection. You can also use interface-based exclusion, so that SMBD binds

only to specifically permitted interfaces. It is also possible to set specific share or resource-based exclusions:

for example, you can set a specific denial on the IPC$ share.

You can also set access control entries (ACEs) in an access control list (ACL) on the shares to secure the HP

CIFS Server.

Restricting Network Access

You can use host-based restrictions , interface-based protection, a firewall, or IPC$ share-based denials to

restrict network access and secure your HP CIFS Server. This section documents the information on how to

configure and use these protection methods.

Using Host Restrictions

In many installations, the threat to server security comes from outside the immediate network. By default, the

HP CIFS Server accepts connections from any host, so you might want to set the hosts allow and hosts

deny options in the smb.conf configuration file to only allow access to your server from a specific range

of hosts.

An Example

The following configuration example allows SMB connections only from 'localhost' (your own computer) and

from the two private networks, 192.168.2 and 192.168.3. All other connections are refused as soon as

the client sends its first packet. The refusal message is displayed as a not listening on called name

error:

hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24

hosts deny = 0.0.0.0/0

Using Interface Protection

By default, the HP CIFS Servers accepts connections on any network interface that it finds on your system.

That means if you have a ISDN line or a PPP connection to the internet, then the HP CIFS server can accept

connections on those links. You can use the interfaceconfiguration options to change the interface

behavior.

Interface Protection Example

For example, you can change the interface behavior using options as the followings:

interface = lan* lo0

bind interface only = yes

In above example, the HP CIFS Server only listens for connections on interfaces with a name starting with

lan such as lan0, lan1, plus on the loopback interface called lo0. The interface name you need to use

depends on what OS you are using. If you use a LAN interface and someone tries to make an SMB connection

to your host over a PPP interface called 'ppp0', he or she gets a TCP connection refused reply.

Security Protection Methods 141