> Hi Andrew, I have same question, how to access CIFS share user access log, I need to pull list of users accessing the shares. -----------------
Hi Shafeeq
If you need to maintain true historical data, you may need to investigate how to use
auditing ( this is a Microsoft "thing" ), the HNAS supports it. I have avoided using this
because of overhead.
You can also get a rough idea of who is connecting to shares by parsing output of the "connection" CLI command.
( don't over-do this ... the connection command , with verbose mode does add load to the NAS )
The direction you chose will depend on what you are trying to do:
If you are about to tighten security on a share and you just want to get an idea
of who uses the share; so you can avoid denying access to legit users
you may be able to avoid implementing auditing and just use a variety
of "light weight" estimation techniques:
- running connection command a few times per day
- doing a tree-walk with a script and see what users own recently created files
- communicate with your customer and your boss ( "here's the list of people that will still be able to
access the ProjectXYZ share after I make the change ... everyone else will be denied" ... setting expectations
is super important )
If you need to present access data to an formal auditor ( the SEC ... etc) , you may need to turn on auditing.
( I don't advise volunteering to do this if not asked !! )
Many organizations are able to avoid turning on MS auditing ( and incurring the overhead ) because:
- they have very strict and well documented FILE, DIRECTORY and SHARE permissions
- they also implement network controls ( firewall, VPN, NAS network access controls on shares )
- they have strict host access controls
AL, what do you think ?
Andy
>
Original Message-----
> From: Shafeeq Ahmed via Hitachi Vantara <mail@connectedcommunity.org>
> Sent: Tuesday, April 25, 2023 7:55 AM
> To: Andrew J. Romero <romero@fnal.gov>
> Subject: RE: Network Attached Storage : How to restrict anonymous or un authentication hitachi hnas cifs share access
>
> ... -posted to the "Network Attached Storage" community
>
> Network Attached Storage <https: urldefense.proofpoint.com/v2/url?u=""></https:>
> 3A__community.hitachivantara.com_communities_community-2Dhome_digestviewer-3FCommunityKey-3D437d6172-2D5782-
> 2D4e3e-2Dace4-2D79584135d5a1&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=EHpPiJlKHosPtxsuTSo7GA&m=9wGFy-
> aDSQg6s73ehd1YrzDrIdjy9T4WkxGYa5ABC30kRr-
> o4oYHBo3CDOaWsswc&s=aYTSb7b8rwycvBNWhcxlyYvubVEgexOxY24WuY64GLs&e=>
>
> Post New Message <mailto:hitachi-networkattachedstorage@connectedcommunity.org>
> Re: How to restrict anonymous or un authentication hitachi hnas cifs share access <https: urldefense.proofpoint.com/v2/url?u=""></https:>
> 3A__community.hitachivantara.com_discussion_how-2Dto-2Drestrict-2Danonymous-2Dor-2Dun-2Dauthentication-2Dhitachi-2Dhnas-
> 2Dcifs-2Dshare-2Daccess-23bm7cebf93a-2D663e-2D465d-2Daf4c-
> 2D0187b87a9e54&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=EHpPiJlKHosPtxsuTSo7GA&m=9wGFy-
> aDSQg6s73ehd1YrzDrIdjy9T4WkxGYa5ABC30kRr-o4oYHBo3CDOaWsswc&s=t4H0Cbdx7-VFFltth6OtqPnHoeZTBe0xjrbLRzGHg1s&e=>
> Reply to Group < />
> 0187b87a9e54@ConnectedCommunity.org?subject=Re: How to restrict anonymous or un authentication hitachi hnas cifs share
> access> Reply to Sender <https: urldefense.proofpoint.com/v2/url?u=""></https:>
> 3A__community.hitachivantara.com_communities_all-2Ddiscussions_postreply-3FMessageKey-3D7cebf93a-2D663e-2D465d-2Daf4c-
> 2D0187b87a9e54-26ListKey-3D5c2e7b86-2D57d2-2D4265-2D9b7f-2D2dafb1a53a4b-26SenderKey-3Db88da807-2D176e-2D456c-
> 2D941a-2D0187329743d7&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=EHpPiJlKHosPtxsuTSo7GA&m=9wGFy-
> aDSQg6s73ehd1YrzDrIdjy9T4WkxGYa5ABC30kRr-o4oYHBo3CDOaWsswc&s=sYZ2rb-MzZEKpzKhmfdLW_fCwvRdHO71spC-
> EaWjNDQ&e=>
> <https: urldefense.proofpoint.com/v2/url?u=""></https:>
> 2Ddirectory_members_profile-3FUserKey-3Db88da807-2D176e-2D456c-2D941a-
> 2D0187329743d7&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=EHpPiJlKHosPtxsuTSo7GA&m=9wGFy-
> aDSQg6s73ehd1YrzDrIdjy9T4WkxGYa5ABC30kRr-
> o4oYHBo3CDOaWsswc&s=8CFi716SIlWMayHJo9KXMHGnQzw2DrJBUOEYf_cmclc&e=> Apr 25, 2023 8:55 AM
> Shafeeq Ahmed <https: urldefense.proofpoint.com/v2/url?u=""></https:>
> 2Ddirectory_members_profile-3FUserKey-3Db88da807-2D176e-2D456c-2D941a-
> 2D0187329743d7&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=EHpPiJlKHosPtxsuTSo7GA&m=9wGFy-
> aDSQg6s73ehd1YrzDrIdjy9T4WkxGYa5ABC30kRr-
> o4oYHBo3CDOaWsswc&s=8CFi716SIlWMayHJo9KXMHGnQzw2DrJBUOEYf_cmclc&e=>
> Hi Andrew,
>
> I have same question, how to access CIFS share user access log, I need to pull list of users accessing the shares.
>
>
>
> ------------------------------
> Shafeeq Ahmed
> Systems Engineer
> Dxc Technology
> ------------------------------
>
> Reply to Group Online <https: urldefense.proofpoint.com/v2/url?u=""></https:>
> 2Ddiscussions_postreply-3FMessageKey-3D7cebf93a-2D663e-2D465d-2Daf4c-2D0187b87a9e54-26ListKey-3D5c2e7b86-2D57d2-
> 2D4265-2D9b7f-2D2dafb1a53a4b&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=EHpPiJlKHosPtxsuTSo7GA&m=9wGFy-
> aDSQg6s73ehd1YrzDrIdjy9T4WkxGYa5ABC30kRr-o4oYHBo3CDOaWsswc&s=Dskrf6LZL1YbVSTmt8Nfd6931Vlv9nkHHD5KR9p-3gA&e=>
> View Thread <https: urldefense.proofpoint.com/v2/url?u=""></https:>
> 2Drestrict-2Danonymous-2Dor-2Dun-2Dauthentication-2Dhitachi-2Dhnas-2Dcifs-2Dshare-2Daccess-23bm7cebf93a-2D663e-2D465d-
> 2Daf4c-2D0187b87a9e54&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=EHpPiJlKHosPtxsuTSo7GA&m=9wGFy-
> aDSQg6s73ehd1YrzDrIdjy9T4WkxGYa5ABC30kRr-o4oYHBo3CDOaWsswc&s=t4H0Cbdx7-VFFltth6OtqPnHoeZTBe0xjrbLRzGHg1s&e=>
> Recommend <https: urldefense.proofpoint.com/v2/url?u=""></https:>
> 2Drestrict-2Danonymous-2Dor-2Dun-2Dauthentication-2Dhitachi-2Dhnas-2Dcifs-2Dshare-2Daccess-3FMessageKey-3D7cebf93a-
> 2D663e-2D465d-2Daf4c-2D0187b87a9e54-26cmd-3Drate-26cmdarg-3Dadd-23bm7cebf93a-2D663e-2D465d-2Daf4c-
> 2D0187b87a9e54&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=EHpPiJlKHosPtxsuTSo7GA&m=9wGFy-
> aDSQg6s73ehd1YrzDrIdjy9T4WkxGYa5ABC30kRr-
> o4oYHBo3CDOaWsswc&s=GsSnnr8kSFP6hnG0w3NtT221uMk6VyF4C3Uam7Sb4X8&e=> Forward
> <https: urldefense.proofpoint.com/v2/url?u=""></https:>
> 2Ddiscussions_forwardmessages-3FMessageKey-3D7cebf93a-2D663e-2D465d-2Daf4c-2D0187b87a9e54-26ListKey-3D5c2e7b86-
> 2D57d2-2D4265-2D9b7f-2D2dafb1a53a4b&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=EHpPiJlKHosPtxsuTSo7GA&m=9wGFy-
> aDSQg6s73ehd1YrzDrIdjy9T4WkxGYa5ABC30kRr-
> o4oYHBo3CDOaWsswc&s=3rioWQuzCbaBoV2_0tubLz8IdKq250yMSmhGmrkjHwQ&e=> Flag as Inappropriate
> <https: urldefense.proofpoint.com/v2/url?u=""></https:>
> 2Danonymous-2Dor-2Dun-2Dauthentication-2Dhitachi-2Dhnas-2Dcifs-2Dshare-2Daccess-3FMarkAppropriate-3D7cebf93a-2D663e-
> 2D465d-2Daf4c-2D0187b87a9e54-23bm7cebf93a-2D663e-2D465d-2Daf4c-
> 2D0187b87a9e54&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=EHpPiJlKHosPtxsuTSo7GA&m=9wGFy-
> aDSQg6s73ehd1YrzDrIdjy9T4WkxGYa5ABC30kRr-o4oYHBo3CDOaWsswc&s=C6-YaB-
> 8rsZaoLP2G6MV_rpAZhWq3jpzuNuA6tmswnE&e=>
>
> Original Message:
> Sent: 04-25-2023 08:00
> From: Duco de Graaf
> Subject: How to restrict anonymous or un authentication hitachi hnas cifs share access
>
>
>
> Hi Andrew,
>
> How can we access logs for CIFS share access on HNAS
>
>
>
> ------------------------------
> Duco de Graaf
> Account Manager
> Dustin
>
>
>
>
>
> You are subscribed to "Network Attached Storage" as romero@fnal.gov. To change your subscriptions, go to My Subscriptions
> <https: urldefense.proofpoint.com/v2/url?u=""></https:>
> 3DSubscriptions&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=EHpPiJlKHosPtxsuTSo7GA&m=9wGFy-
> aDSQg6s73ehd1YrzDrIdjy9T4WkxGYa5ABC30kRr-
> o4oYHBo3CDOaWsswc&s=zXgv48uzSmduvMdVI44tfGTs0f5tDsabRTKXwY84Xm8&e=> . To unsubscribe from this community
> discussion, go to Unsubscribe <https: urldefense.proofpoint.com/v2/url?u=""></https:>
> 3A__community.hitachivantara.com_HigherLogic_eGroups_Unsubscribe.aspx-3FUserKey-3D6fcf867a-2D0ddd-2D4dd0-2D984e-
> 2D018665216a60-26sKey-3D389b4dca30f148dabf4d-26GroupKey-3D5c2e7b86-2D57d2-2D4265-2D9b7f-
> 2D2dafb1a53a4b&d=DwMFaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=EHpPiJlKHosPtxsuTSo7GA&m=9wGFy-
> aDSQg6s73ehd1YrzDrIdjy9T4WkxGYa5ABC30kRr-o4oYHBo3CDOaWsswc&s=T_khfjh4j_uiVM3mDtplZLTYFghAj3DyTtd457-Xr8k&e=> .
> <https: oedginnrrl.execute-api.us-east-1.amazonaws.com/v1/readstatus?mailingid="346239119&Email=romero%40fnal.gov">
Original Message:
Sent: 4/25/2023 8:55:00 AM
From: Shafeeq Ahmed
Subject: RE: How to restrict anonymous or un authentication hitachi hnas cifs share access
Hi Andrew,
I have same question, how to access CIFS share user access log, I need to pull list of users accessing the shares.
------------------------------
Shafeeq Ahmed
Systems Engineer
Dxc Technology
------------------------------
Original Message:
Sent: 04-25-2023 08:00
From: Duco de Graaf
Subject: How to restrict anonymous or un authentication hitachi hnas cifs share access
Hi Andrew,
How can we access logs for CIFS share access on HNAS
------------------------------
Duco de Graaf
Account Manager
Dustin
Original Message:
Sent: 03-30-2023 17:11
From: Andrew Romero
Subject: How to restrict anonymous or un authentication hitachi hnas cifs share access
On a test share that can be accessed by an un-authenticated user, try this ( it allows you to control share access without changing a more global settting.
cifs-saa list myshare
If Everyone has af access, run these
cifs-saa add myshare "Administrators" af
cifs-saa add myshare "Authenticated Users" af
cifs-saa delete myshare Everyone
cifs-saa list myshare
credentials-reassess
Can an un-authenticated user still access the share ?
When I configure shares, I remove Everyone from the access
list of 99.9% of the shares
I actually do additional share-permission changes.
------------------------------
Andrew Romero
Storage Administrator
Fermi National Accelerator Laboratory
Original Message:
Sent: 03-30-2023 16:17
From: Shafeeq Ahmed
Subject: How to restrict anonymous or un authentication hitachi hnas cifs share access
There are CIFS share which can be accessed by un authenticated users, which we want to restrict.
And below setting will make us achieve that right ?
cifs-restrict-anonymous enable
Anonymous users are restricted and only authenticated users are allowed access over CIFS.
Current settings:
BR-HNAS-2[tcipnasevs1]:$ cifs-restrict-anonymous
cifs-restrict-anonymous: Restrict Anonymous users is disabled.
BR-HNAS-2[tcipnasevs1]:$
Thanks
Shafeeq
Original Message:
Sent: 3/30/2023 4:08:00 PM
From: Andrew Romero
Subject: RE: How to restrict anonymous or un authentication hitachi hnas cifs share access
Hi
Yes; but, based on your test , anonymous users are not able to access anything now .
What actual operations are you seeing that anonymous users can do that would justify changing the default cifs-restrict-anonymous setting
Andy
------------------------------
Andrew Romero
Storage Administrator
Fermi National Accelerator Laboratory
Original Message:
Sent: 03-30-2023 16:02
From: Shafeeq Ahmed
Subject: How to restrict anonymous or un authentication hitachi hnas cifs share access
Hi Andrew,
I think I got the solution, if I enable below settings, all CIFS shares will be accessible to only authenticated users right.
cifs-restrict-anonymous enable
Anonymous users are restricted and only authenticated users are allowed access over CIFS.
Thanks
Shafeeq
Original Message:
Sent: 3/30/2023 11:21:00 AM
From: Andrew Romero
Subject: RE: How to restrict anonymous or un authentication hitachi hnas cifs share access
Is tcipnasevs1 a member of an Active Directory domain ?
If you connect a non-domain PC ( like a home laptop) to your network are you , without authenticating, or joining that
PC to the domain actually, able to access content on tcipnasevs1 ?
------------------------------
Andrew Romero
Storage Administrator
Fermi National Accelerator Laboratory
Original Message:
Sent: 03-30-2023 10:59
From: Shafeeq Ahmed
Subject: How to restrict anonymous or un authentication hitachi hnas cifs share access
Hi Andrew,
Please find the output below:
BR-HNAS-2:$ evssel 1
BR-HNAS-2[tcipnasevs1]:$ cifs-user-lookup-access
cifs-user-lookup-access: executing on cluster node 2, though the EVS in context (1) is currently on cluster node 1
Only authenticated clients may use the server's LSA.
BR-HNAS-2[tcipnasevs1]:$ cifs-auth
EVS 1 CIFS Authentication: on
BR-HNAS-2[tcipnasevs1]:$ cifs-restrict-anonymous
cifs-restrict-anonymous: executing on cluster node 2, though the EVS in context (1) is currently on cluster node 1
cifs-restrict-anonymous: Restrict Anonymous users is disabled.
BR-HNAS-2[tcipnasevs1]:$
Thanks
Shafeeq