Oracle ZFS Storage Appliance Security Overview
NFS Authentication and Encryption Options
Active Directory (AD) Domain Mode Authentication
Administrative Operations via the Microsoft Management Console (MMC)
Hypertext Transfer Protocol (HTTP)
Network Data Management Protocol (NDMP)
SSH File Transfer Protocol (SFTP)
The SMB protocol (also known as Common Internet File System (CIFS)) primarily provides shared access to files on a Microsoft Windows network. It also provides authentication.
The following SMB options have security implications:
Restrict Anonymous Access to share list - This option requires clients to authenticate using SMB before receiving a list of shares. If this option is disabled, anonymous clients can access the list of shares. This option is disabled by default.
SMB Signing Enabled - This option enables interoperability with SMB clients using the SMB signing feature. If the option is enabled, a signed packet will have the signature verified. If the option is disabled, an unsigned packet will be accepted without signature verification. This option is disabled by default.
SMB Signing Required - This option can be used when SMB signing is required. When the option is enabled, all SMB packets must be signed or they will be rejected. Clients that do not support SMB signing are unable to connect to the server. This option is off by default.
Enable Access-based Enumeration - Setting this option filters directory entries based on the credentials of the client. When the client does not have access to a file or directory, that file will be omitted from the list of entries returned to the client. This option is disabled by default.
In Domain Mode, users are defined in Active Directory. SMB clients can connect to the ZFSSA using Kerberos or NTLM authentication.
When a user connects via a fully-qualified ZFSSA hostname, Windows clients in the same domain or a trusted domain use Kerberos authentication otherwise they use NTLM authentication.
When an SMB client uses NTLM authentication to connect to the ZFSSA, the user's credentials are forwarded to the AD Domain Controller for authentication. This is called pass-through authentication.
If Windows security policies restricting NTLM authentication are defined, Windows clients must connect to ZFSSA via a fully-qualified hostname. For more information, see this MSDN article: http://technet.microsoft.com/en-us/library/jj865668%28v=ws.10%29.aspx.
After authentication a "security context" is established for the user's SMB session. The user represented by the security context has a unique Security Descriptor (SID). The SID denotes file ownership and is used to determine file access privileges.
In Workgroup Mode, users are defined locally on the ZFSSA. When an SMB client connects to a ZFSSA in Workgroup Mode, that user's user name and password hashes are used to authenticate the user locally.
The LAN Manager (LM) compatibility level is used to specify the protocol used for authentication when the ZFSSA is in workgroup mode.
The following list shows the ZFSSA behavior for each LM compatibility level:
Level 2: Accepts LM, NTLM and NTLMv2 authentication
Level 3: Accepts LM, NTLM and NTLMv2 authentication
Level 4: Accepts NTLM and NTLMv2 authentication
Level 5: Accepts NTLMv2 authentication only.
Once the Workgroup user is successfully authenticated a security context is established. A unique SID is created for users defined on the ZFSSA using a combination of the machine's SID and the user's UID. All local users are defined as UNIX users.
Local groups are domain user groups that provide additional privileges to those users. Administrators can bypass file permissions to change the ownership on files. Backup Operators can bypass file access controls to backup and restore files.
To ensure that only the appropriate users have access to administrative operations there are some access restrictions on the operations performed remotely using MMC.
The following list shows the users and their allowed operations:
Regular users - List shares
Members of the Administrators group - List open files and close files, disconnect user connections, view services, and event log
Members of the Administrators group can also set/modify share level ACLs
Members of the Administrators group - List open files and close files, disconnect user connections, view services and event log
The Virus Scan service scans for viruses at the file system level. When a file is accessed from any protocol, the Virus Scan service first scans the file, and both denies access and quarantines the file if a virus is found. The scan is performed by an external engine that the ZFSSA contacts. The external engine is not included in ZFSSA software.
Once a file has been scanned with the latest virus definitions, it is not rescanned until it is next modified. Virus scanning is provided mainly for SMB clients who are likely to introduce viruses. NFS clients can also use virus scanning, but due to the way the NFS protocol works a virus may not be detected as quickly as with the SMB client.
SMB does not implement any delay engine to prevent timing attacks. It relies on the Solaris cryptographic framework.
The SMB service uses version 1 of the SMB protocol, which does not support data encryption on the wire.