Release notes
Configure Storage-Level Access Guard
Suggest changes
-
PDF of this doc site
-
Cluster administration
-
Volume administration
-
Logical storage management with the CLI
-
-
NAS storage management
-
Configure NFS with the CLI
-
Manage NFS with the CLI
-
Manage SMB with the CLI
-
Manage file access using SMB
-
-
-
Security and data encryption
-
Data protection and disaster recovery
-
Collection of separate PDF docs
Creating your file...
There are a number of steps you need to follow to configure Storage-Level Access Guard on a volume or qtree. Storage-Level Access Guard provides a level of access security that is set at the storage level. It provides security that applies to all accesses from all NAS protocols to the storage object to which it has been applied.
-
Create a security descriptor by using the
vserver security file-directory ntfs createcommand.vserver security file-directory ntfs create -vserver vs1 -ntfs-sd sd1vserver security file-directory ntfs show -vserver vs1Vserver: vs1 NTFS Security Owner Name Descriptor Name ------------ -------------- sd1 -
A security descriptor is created with the following four default DACL access control entries (ACEs):
Vserver: vs1 NTFS Security Descriptor Name: sd1 Account Name Access Access Apply To Type Rights -------------- ------- ------- ----------- BUILTIN\Administrators allow full-control this-folder, sub-folders, files BUILTIN\Users allow full-control this-folder, sub-folders, files CREATOR OWNER allow full-control this-folder, sub-folders, files NT AUTHORITY\SYSTEM allow full-control this-folder, sub-folders, filesIf you do not want to use the default entries when configuring Storage-Level Access Guard, you can remove them prior to creating and adding your own ACEs to the security descriptor.
-
Remove any of the default DACL ACEs from the security descriptor that you do not want configured with Storage-Level Access Guard security:
-
Remove any unwanted DACL ACEs by using the
vserver security file-directory ntfs dacl removecommand.In this example, three default DACL ACEs are removed from the security descriptor: BUILTIN\Administrators, BUILTIN\Users, and CREATOR OWNER.
vserver security file-directory ntfs dacl remove -vserver vs1 -ntfs-sd sd1 -access-type allow -account builtin\usersvserver security file-directory ntfs dacl remove -vserver vs1 -ntfs-sd sd1 -access-type allow -account builtin\administratorsvserver security file-directory ntfs dacl remove -vserver vs1 -ntfs-sd sd1 -access-type allow -account "creator owner" -
Verify that the DACL ACEs you do not want to use for Storage-Level Access Guard security are removed from the security descriptor by using the
vserver security file-directory ntfs dacl showcommand.In this example, the output from the command verifies that three default DACL ACEs have been removed from the security descriptor, leaving only the NT AUTHORITY\SYSTEM default DACL ACE entry:
vserver security file-directory ntfs dacl show -vserver vs1Vserver: vs1 NTFS Security Descriptor Name: sd1 Account Name Access Access Apply To Type Rights -------------- ------- ------- ----------- NT AUTHORITY\SYSTEM allow full-control this-folder, sub-folders, files
-
-
Add one or more DACL entries to a security descriptor by using the
vserver security file-directory ntfs dacl addcommand.In this example, two DACL ACEs are added to the security descriptor:
vserver security file-directory ntfs dacl add -vserver vs1 -ntfs-sd sd1 -access-type allow -account example\engineering -rights full-control -apply-to this-folder,sub-folders,filesvserver security file-directory ntfs dacl add -vserver vs1 -ntfs-sd sd1 -access-type allow -account "example\Domain Users" -rights read -apply-to this-folder,sub-folders,files -
Add one or more SACL entries to a security descriptor by using the
vserver security file-directory ntfs sacl addcommand.In this example, two SACL ACEs are added to the security descriptor:
vserver security file-directory ntfs sacl add -vserver vs1 -ntfs-sd sd1 -access-type failure -account "example\Domain Users" -rights read -apply-to this-folder,sub-folders,filesvserver security file-directory ntfs sacl add -vserver vs1 -ntfs-sd sd1 -access-type success -account example\engineering -rights full-control -apply-to this-folder,sub-folders,files -
Verify that the DACL and SACL ACEs are configured correctly by using the
vserver security file-directory ntfs dacl showandvserver security file-directory ntfs sacl showcommands, respectively.In this example, the following command displays information about DACL entries for security descriptor “sd1”:
vserver security file-directory ntfs dacl show -vserver vs1 -ntfs-sd sd1Vserver: vs1 NTFS Security Descriptor Name: sd1 Account Name Access Access Apply To Type Rights -------------- ------- ------- ----------- EXAMPLE\Domain Users allow read this-folder, sub-folders, files EXAMPLE\engineering allow full-control this-folder, sub-folders, files NT AUTHORITY\SYSTEM allow full-control this-folder, sub-folders, filesIn this example, the following command displays information about SACL entries for security descriptor “sd1”:
vserver security file-directory ntfs sacl show -vserver vs1 -ntfs-sd sd1Vserver: vs1 NTFS Security Descriptor Name: sd1 Account Name Access Access Apply To Type Rights -------------- ------- ------- ----------- EXAMPLE\Domain Users failure read this-folder, sub-folders, files EXAMPLE\engineering success full-control this-folder, sub-folders, files -
Create a security policy by using the
vserver security file-directory policy createcommand.The following example creates a policy named “policy1”:
vserver security file-directory policy create -vserver vs1 -policy-name policy1 -
Verify that the policy is correctly configured by using the
vserver security file-directory policy showcommand.vserver security file-directory policy showVserver Policy Name ------------ -------------- vs1 policy1
-
Add a task with an associated security descriptor to the security policy by using the
vserver security file-directory policy task addcommand with the-access-controlparameter set toslag.Even though a policy can contain more than one Storage-Level Access Guard task, you cannot configure a policy to contain both file-directory and Storage-Level Access Guard tasks. A policy must contain either all Storage-Level Access Guard tasks or all file-directory tasks.
In this example, a task is added to the policy named “policy1”, which is assigned to security descriptor “sd1”. It is assigned to the
/datavol1path with the access control type set to “slag”.vserver security file-directory policy task add -vserver vs1 -policy-name policy1 -path /datavol1 -access-control slag -security-type ntfs -ntfs-mode propagate -ntfs-sd sd1 -
Verify that the task is configured correctly by using the
vserver security file-directory policy task showcommand.vserver security file-directory policy task show -vserver vs1 -policy-name policy1Vserver: vs1 Policy: policy1 Index File/Folder Access Security NTFS NTFS Security Path Control Type Mode Descriptor Name ----- ----------- --------------- -------- ---------- --------------- 1 /datavol1 slag ntfs propagate sd1 -
Apply the Storage-Level Access Guard security policy by using the
vserver security file-directory applycommand.vserver security file-directory apply -vserver vs1 -policy-name policy1The job to apply the security policy is scheduled.
-
Verify that the applied Storage-Level Access Guard security settings are correct by using the
vserver security file-directory showcommand.In this example, the output from the command shows that Storage-Level Access Guard security has been applied to the NTFS volume
/datavol1. Even though the default DACL allowing Full Control to Everyone remains, Storage-Level Access Guard security restricts (and audits) access to the groups defined in the Storage-Level Access Guard settings.vserver security file-directory show -vserver vs1 -path /datavol1Vserver: vs1 File Path: /datavol1 File Inode Number: 77 Security Style: ntfs Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - Unix User Id: 0 Unix Group Id: 0 Unix Mode Bits: 777 Unix Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor Control:0x8004 Owner:BUILTIN\Administrators Group:BUILTIN\Administrators DACL - ACEs ALLOW-Everyone-0x1f01ff ALLOW-Everyone-0x10000000-OI|CI|IO Storage-Level Access Guard security SACL (Applies to Directories): AUDIT-EXAMPLE\Domain Users-0x120089-FA AUDIT-EXAMPLE\engineering-0x1f01ff-SA DACL (Applies to Directories): ALLOW-EXAMPLE\Domain Users-0x120089 ALLOW-EXAMPLE\engineering-0x1f01ff ALLOW-NT AUTHORITY\SYSTEM-0x1f01ff SACL (Applies to Files): AUDIT-EXAMPLE\Domain Users-0x120089-FA AUDIT-EXAMPLE\engineering-0x1f01ff-SA DACL (Applies to Files): ALLOW-EXAMPLE\Domain Users-0x120089 ALLOW-EXAMPLE\engineering-0x1f01ff ALLOW-NT AUTHORITY\SYSTEM-0x1f01ff