Protecting your files on the DFS file system

The Windows Distributed File System (DFS) hosts user directories for all NICE users plus many more data.

 

 Files can be accessed from anywhere, via a dedicated web portal (http://cern.ch/dfs). Due to the ease of access to DFS with in CERN it is of utmost importance to properly protect access to sensitive data. As the use of DFS access control mechanisms is not obvious to all users, passwords, certificates or sensitive files might get exposed. At least this happened in past to the Andrews File System (AFS) - the Linux equivalent to DFS) - and led to bad publicity due to a journalist accessing supposedly "private" AFS folders (SonntagsZeitung 2009/11/08). This problem does not only affect the individual user but also has a bad impact on CERN's reputation when it comes to IT security.

Therefore, all departments and LHC experiments agreed recently to apply more stringent protections to all DFS user folders. The goal of this data protection policy is to assist users in protecting their data on DFS (folders other than \\cern.ch\dfs\Users will not be affected). It goes along with a similar effort done recently for AFS, see Bulletin 09-10/2011. The access rights of these folders will be automatically and regularly reviewed and corrected in order to enforce the corresponding policy:

  • For all anonymous users, the default ACLs of \\cern.ch\dfs\Users\HOME must not be more permissive than “List”/“Traverse”-rights.
  • For all anonymous users, the default ACLs of \\cern.ch\dfs\Users\HOME/Public and all its sub-folders must not be more permissive than either combined “List”/“Read”/“Traverse”-rights or combined “Create”/“List”/“Traverse”/“Write”-rights.
  • For all anonymous users, the default ACLs of any folder must not allow for simultaneous “Write” and “Read” access.
  • The ACLs of every sub-folder of \\cern.ch\dfs\Users\HOME not covered before, and all their sub-folders, must not contain any entries for anonymous users.


(Anonymous users are defined to be any potentially very large group of people, for example the default groups “Everyone” or “Authenticated Users”.)

The deployment will start first in the IT Department and will subsequently address all other departments during Summer 2011. For details on DFS access rights, please consult:

http://cern.ch/go/DFSRightsBestPractice 

and

http://cern.ch/go/DFSManagingACLs

 

by Computer Security Team