Security Control When Sharing Folders and Drives
By default, NFS Server runs as a LocalSystem service from the system account. Usually, this is the Administrator's account which, also by default, has Full Control access rights. NFS Server does not change existing NT permissions on directories and files. If the remote system has Full access rights to the exported share, NFS Server exports the file system privileges of the local user (that is, the user account under which NFS Server is started) to the remote system. This is important in the case of Windows NT with an NTFS file system where files have been marked with additional security attributes.
In effect, a remote user on an NFS Client who accesses files on a Windows NT machine, has the privileges of the account under which the NFS Server service is started.
Limiting Remote System Access
You can limit the access privileges of users on remote systems as follows.
-
Create a user account with limited access rights and permissions and configure NFS Server to run from that account. NFS Server will take on the security attributes specified for that account and export those privileges to the remote system. Refer to the Microsoft Windows NT Workstation or Server documentation for creating user accounts.
-
For shared folders and drives that contain important files, restrict access to read-only or restrict access to well-known and trusted hosts.
- © 2010, Oracle Corporation and/or its affiliates