Considerations for Security
Consider security when using NFS export and Unix permissions from Microsoft Windows and folder permissions.
Considerations for Export
Consider the following security best practices for NFS Export settings:
- Do not enable
SYS
authentication with Kerberos authentication. This is to make sure that users cannot mount the export without Kerberos option to bypass the Active Directory authentication. IfSYS
authentication is needed, create another export on the file system and allow only secure CIDR or IP addresses to useSYS
authentication. - Consider enabling root squash so that no clients can get root access to the file system. If root access is required, create another export on the file system and allow only secure CIDR or IP address for root access.
- When anonymous access is enabled, all users that don’t exist in LDAP or
users without RFC2307 attribute will get anonymous
uid
andgid
set in the export options. Disable anonymous access if this is not preferred. - Squashing all uses to a
uid
andgid
will let all the Active Directory authenticated users to access the file system with same level of permissions. Use this option with caution.