Network Attached Storage​

 View Only
Back to discussions
Expand all | Collapse all

How to restrict anonymous or un authentication hitachi hnas cifs share access

This thread has been viewed 43 times

  • 1.  How to restrict anonymous or un authentication hitachi hnas cifs share access

    Posted 03-30-2023 10:59

    Hi Andrew,

     

    Please find the output below:

     

    BR-HNAS-2:$ evssel 1

    BR-HNAS-2[tcipnasevs1]:$ cifs-user-lookup-access

    cifs-user-lookup-access: executing on cluster node 2, though the EVS in context (1) is currently on cluster node 1

    Only authenticated clients may use the server's LSA.

     

    BR-HNAS-2[tcipnasevs1]:$ cifs-auth

    EVS 1 CIFS Authentication: on

     

    BR-HNAS-2[tcipnasevs1]:$ cifs-restrict-anonymous

    cifs-restrict-anonymous: executing on cluster node 2, though the EVS in context (1) is currently on cluster node 1

    cifs-restrict-anonymous: Restrict Anonymous users is disabled.

    BR-HNAS-2[tcipnasevs1]:$

     

     

    Thanks

    Shafeeq



  • 2.  RE: How to restrict anonymous or un authentication hitachi hnas cifs share access

    Posted 03-30-2023 11:21

    Is  tcipnasevs1 a member of an Active Directory domain ?

    If you connect a non-domain PC ( like a home laptop) to your network are you , without authenticating, or joining that

    PC to the domain actually,  able to access content on tcipnasevs1 ?



    ------------------------------
    Andrew Romero
    Storage Administrator
    Fermi National Accelerator Laboratory
    ------------------------------

    Original Message


  • 3.  RE: How to restrict anonymous or un authentication hitachi hnas cifs share access

    Posted 03-30-2023 12:40

    Hi

     

    Is  tcipnasevs1 a member of an Active Directory domain ? yes, screenshot attached.

    If you connect a non-domain PC ( like a home laptop) to your network are you , without authenticating, or joining that

    PC to the domain actually,  able to access content on tcipnasevs1 ? no.

     

     

     




    Original Message


  • 4.  RE: How to restrict anonymous or un authentication hitachi hnas cifs share access

    Posted 03-30-2023 16:02

    Hi Andrew,

     

    I think I got the solution, if I enable below settings, all CIFS shares will be accessible to only authenticated users right.

     

    cifs-restrict-anonymous enable

    Anonymous users are restricted and only authenticated users are allowed access over CIFS.

    Thanks

    Shafeeq

     




    Original Message


  • 5.  RE: How to restrict anonymous or un authentication hitachi hnas cifs share access

    Posted 03-30-2023 16:08

    Hi

    Yes; but, based on your test , anonymous users are not able to access anything now .

    What actual operations are you seeing that anonymous  users can do that would justify changing the default cifs-restrict-anonymous setting

    Andy





    ------------------------------
    Andrew Romero
    Storage Administrator
    Fermi National Accelerator Laboratory
    ------------------------------

    Original Message


  • 6.  RE: How to restrict anonymous or un authentication hitachi hnas cifs share access

    Posted 03-30-2023 16:18

    There are CIFS share which can be accessed by un authenticated users, which we want to restrict.

    And below setting will make us achieve that right ?
    cifs-restrict-anonymous enable

    Anonymous users are restricted and only authenticated users are allowed access over CIFS.

     

     

    Current settings:

    BR-HNAS-2[tcipnasevs1]:$ cifs-restrict-anonymous

    cifs-restrict-anonymous: Restrict Anonymous users is disabled.

    BR-HNAS-2[tcipnasevs1]:$

     

     

    Thanks

    Shafeeq

     

     




    Original Message


  • 7.  RE: How to restrict anonymous or un authentication hitachi hnas cifs share access

    Posted 03-30-2023 17:12

    On a test share that can be accessed by an un-authenticated user, try this ( it allows you to control share access without changing a more global settting.


    cifs-saa list myshare

    If Everyone has af access, run these


    cifs-saa add myshare "Administrators" af
    cifs-saa add myshare "Authenticated Users" af
    cifs-saa delete myshare Everyone

    cifs-saa list myshare

    credentials-reassess

    Can an un-authenticated user still access the share ?


    When I configure shares, I remove Everyone from the access
    list of 99.9% of the shares

    I actually do additional share-permission changes.





    ------------------------------
    Andrew Romero
    Storage Administrator
    Fermi National Accelerator Laboratory
    ------------------------------

    Original Message


  • 8.  RE: How to restrict anonymous or un authentication hitachi hnas cifs share access

    Posted 04-25-2023 08:01

    Hi Andrew,

    How can we access logs for CIFS share access on HNAS



    ------------------------------
    Duco de Graaf
    Account Manager
    Dustin
    ------------------------------

    Original Message


  • 9.  RE: How to restrict anonymous or un authentication hitachi hnas cifs share access

    Posted 04-25-2023 08:55

    Hi Andrew,

    I have same question, how to access CIFS share user access log, I need to pull list of users accessing the shares.



    ------------------------------
    Shafeeq Ahmed
    Systems Engineer
    Dxc Technology
    ------------------------------

    Original Message


  • 10.  RE: How to restrict anonymous or un authentication hitachi hnas cifs share access

    Posted 04-25-2023 10:07
    > Hi Andrew, I have same question, how to access CIFS share user access log, I need to pull list of users accessing the shares. -----------------

    Hi Shafeeq

    If you need to maintain true historical data, you may need to investigate how to use
    auditing ( this is a Microsoft "thing" ), the HNAS supports it. I have avoided using this
    because of overhead.

    You can also get a rough idea of who is connecting to shares by parsing output of the "connection" CLI command.
    ( don't over-do this ... the connection command , with verbose mode does add load to the NAS )

    The direction you chose will depend on what you are trying to do:

    If you are about to tighten security on a share and you just want to get an idea
    of who uses the share; so you can avoid denying access to legit users
    you may be able to avoid implementing auditing and just use a variety
    of "light weight" estimation techniques:
    - running connection command a few times per day
    - doing a tree-walk with a script and see what users own recently created files
    - communicate with your customer and your boss ( "here's the list of people that will still be able to
    access the ProjectXYZ share after I make the change ... everyone else will be denied" ... setting expectations
    is super important )

    If you need to present access data to an formal auditor ( the SEC ... etc) , you may need to turn on auditing.
    ( I don't advise volunteering to do this if not asked !! )

    Many organizations are able to avoid turning on MS auditing ( and incurring the overhead ) because:
    - they have very strict and well documented FILE, DIRECTORY and SHARE permissions
    - they also implement network controls ( firewall, VPN, NAS network access controls on shares )
    - they have strict host access controls

    AL, what do you think ?

    Andy


    >
    Original Message


  • 11.  RE: How to restrict anonymous or un authentication hitachi hnas cifs share access

    Posted 04-25-2023 10:40
    Hi

    Here's another tool

    On your Windows system run:

    compmgmt.msc

    Then select connect to another computer and specify an HNAS EVS / CIFS Serving Name

    This will show currently connected users and open files

    Andy




    >
    Original Message


  • 12.  RE: How to restrict anonymous or un authentication hitachi hnas cifs share access

    Posted 04-25-2023 11:11

    thanks alot, will try both methods today and will let you know.

    do you know if we can have similar to below:

    Using CIFS access logs
    System administrators and CIFS administrators can review CIFS access logs
    to monitor the access history of a CIFS share. System administrators must
    first configure the settings to determine whether and under what conditions
    to collect CIFS access logs.
    CIFS access logs (/var/log/cifs/log.CIFSaccess) can be viewed on the



    ------------------------------
    Shafeeq Ahmed
    Systems Engineer
    Dxc Technology
    ------------------------------

    Original Message


  • 13.  RE: How to restrict anonymous or un authentication hitachi hnas cifs share access

    Posted 04-27-2023 08:06

    I did not know about
    /var/log/cifs/log.CIFSaccess
    where did you read about that ?
    I don't see that path on my SMU ?

    There is another current thread related to experimenting with auditing, it may be worthwhile to monitor that thread






    ------------------------------
    Andrew Romero
    Storage Administrator
    ------------------------------

    Original Message


  • 14.  RE: How to restrict anonymous or un authentication hitachi hnas cifs share access

    Posted 04-27-2023 08:49

    must be a host side thing, that folder doesn't exist on SMU or on the server itself.



    ------------------------------
    Albert Hagopian
    Software Development Engineer - Specialist
    Hitachi Vantara
    ------------------------------

    Original Message


Related Content