As previously mentioned, the
fi
le-sharing security model of the storage server is based on the NTFS
fi
le-level security model. Share security seamlessly integrates with
fi
le security. In addition to discussing
share management, this section discusses share security.
Share considerations
Planning the content, size, and distribution of shares on the storage server can improve performance,
manageability, and ease of use.
The content of shares should be carefully chosen to avoid two common pitfalls: either having too many
shares of a very speci
fi
c nature, or of having very few shares of a generic nature. For example, shares for
general use are easier to set up in the beginning, but can cause problems later. Frequently, a better
approach is to create separate shares with a speci
fi
c purpose or group of users in mind. However,
creating too many shares also has its drawbacks. For example, if it is suf
fi
cient to create a single share
for user home directories, create a “homes” share rather than creating separate shares for each user.
By keeping the number of shares and other resources low, the performance of the storage server is
optimized. For example, instead of sharing out each individual user’s home directory as its own share,
share out the top-level directory and let the users map personal drives to their own subdirectory.
De
fi
ning Access Control Lists
The Access Control List (ACL) contains the information that dictates which users and groups have access
to a share, as well as the type of access that is permitted. Each share on an NTFS
fi
le system has one
ACL with multiple associated user permissions. For example, an ACL can de
fi
ne that User1 has read
and write access to a share, User2 has read only access, and User3 has no access to the share. The
ACL also includes group access information that applies to every user in a con
fi
gured group. ACLs are
also referred to as permissions.
Integrating local
fi
le system security into Windows domain environments
ACLs include properties speci
fi
c to users and groups from a particular workgroup server or domain
environment. In a multidomain environment, user and group permissions from several domains can apply
to
fi
les stored on the same device. Users and groups local to the storage server can be given access
permissions to shares managed by the device. The domain name of the storage server supplies the
context in which the user or group is understood. Permission con
fi
guration depends on the network and
domain infrastructure where the server resides.
File-sharing protocols (except NFS) supply a user and group context for all connections over the network.
(NFS supplies a machine-based context.) When new
fi
les are created by those users or machines, the
appropriate ACLs are applied.
Con
fi
guration tools provide the ability to share permissions out to clients. These shared permissions are
propagated into a
fi
le system ACL, and when new
fi
les are created over the network, the user creating the
fi
le becomes the
fi
le owner. In cases where a speci
fi
c subdirectory of a share has different permissions
from the share itself, the NTFS permissions on the subdirectory apply instead. This method results in a
hierarchical security model where the network protocol permissions and the
fi
le permissions work together
to provide appropriate security for shares on the device.
NOTE:
Share permissions and
fi
le-level permissions are implemented separately. It is possible for
fi
les on a
fi
le system to have different permissions from those applied to a share. When this situation occurs, the
fi
le-level permissions override the share permissions.
Comparing administrative (hidden) and standard shares
CIFS supports both administrative shares and standard shares.
•
Administrative shares are shares with a last character of $. Administrative shares are not included
in the list of shares when a client browses for available shares on a CIFS server.
80
File server management
Summary of Contents for ProLiant DL380 G5 DPSS
Page 24: ...24 The HP storage server solution ...
Page 96: ...96 Print services ...
Page 152: ...152 Network adapter teaming ...