在卷或 qtree 上配置存储级别访问防护需要遵循许多步骤。存储级别访问防护提供在存储级别设置的访问安全性级别。它提供的安全性将适用于从所有 NAS 协议到应用了该防护的存储对象的所有访问。
Vserver: vs1 NTFS Security Owner Name Descriptor Name ------------ -------------- sd1 -
使用以下四个默认 DACL 访问控制条目 (ACE) 创建安全描述符:
Vserver: vs1 NTFS Security Descriptor Name: sd1 Account Name Access Access Apply To Type Rights -------------- ------- ------- ----------- BUILTIN\Administrators allow full-control this-folder, sub-folders, files BUILTIN\Users allow full-control this-folder, sub-folders, files CREATOR OWNER allow full-control this-folder, sub-folders, files NT AUTHORITY\SYSTEM allow full-control this-folder, sub-folders, files
如果您在配置存储级别访问防护时不想使用默认条目,则可以在创建自己的 ACE 并将其添加到安全描述符之前将其删除。
在此示例中,从安全描述符中删除三个默认 DACL ACE:BUILTIN\Administrators、BUILTIN\Users 和 CREATOR OWNER。
vserver security file-directory ntfs dacl remove -vserver vs1 -ntfs-sd sd1 -access-type allow -account builtin\usersvserver security file-directory ntfs dacl remove -vserver vs1 -ntfs-sd sd1 -access-type allow -account builtin\administratorsvserver security file-directory ntfs dacl remove -vserver vs1 -ntfs-sd sd1 -access-type allow -account "creator owner"在此示例中,命令的输出验证是否已从安全描述符中删除三个默认 DACL ACE,仅保留 NT AUTHORITY\SYSTEM 默认 DACL ACE 条目:
vserver security file-directory ntfs dacl show -vserver vs1Vserver: vs1 NTFS Security Descriptor Name: sd1 Account Name Access Access Apply To Type Rights -------------- ------- ------- ----------- NT AUTHORITY\SYSTEM allow full-control this-folder, sub-folders, files
在此示例中,将两个 DACL ACE 添加到安全描述符中:
vserver security file-directory ntfs dacl add -vserver vs1 -ntfs-sd sd1 -access-type allow -account example\engineering -rights full-control -apply-to this-folder,sub-folders,filesvserver security file-directory ntfs dacl add -vserver vs1 -ntfs-sd sd1 -access-type allow -account "example\Domain Users" -rights read -apply-to this-folder,sub-folders,files在此示例中,将两个 SACL ACE 添加到安全描述符中:
vserver security file-directory ntfs sacl add -vserver vs1 -ntfs-sd sd1 -access-type failure -account "example\Domain Users" -rights read -apply-to this-folder,sub-folders,filesvserver security file-directory ntfs sacl add -vserver vs1 -ntfs-sd sd1 -access-type success -account example\engineering -rights full-control -apply-to this-folder,sub-folders,files在此示例中,以下命令显示有关安全描述符“sd1”的 DACL 条目的信息:
vserver security file-directory ntfs dacl show -vserver vs1 -ntfs-sd sd1Vserver: vs1 NTFS Security Descriptor Name: sd1 Account Name Access Access Apply To Type Rights -------------- ------- ------- ----------- EXAMPLE\Domain Users allow read this-folder, sub-folders, files EXAMPLE\engineering allow full-control this-folder, sub-folders, files NT AUTHORITY\SYSTEM allow full-control this-folder, sub-folders, files
在此示例中,以下命令显示有关安全描述符“sd1”的 SACL 条目的信息:
vserver security file-directory ntfs sacl show -vserver vs1 -ntfs-sd sd1Vserver: vs1 NTFS Security Descriptor Name: sd1 Account Name Access Access Apply To Type Rights -------------- ------- ------- ----------- EXAMPLE\Domain Users failure read this-folder, sub-folders, files EXAMPLE\engineering success full-control this-folder, sub-folders, files
以下示例将创建一个名为“policy1”的策略:
vserver security file-directory policy create -vserver vs1 -policy-name policy1Vserver Policy Name ------------ -------------- vs1 policy1
即使策略可以包含多个存储级别访问防护任务,您也无法将策略配置为包含文件目录和存储级别访问防护任务。策略必须包含所有存储级别访问防护任务或所有文件目录任务。
在此示例中,任务将添加到名为“policy1”的策略中,该策略已分配给安全描述符“sd1”。它已分配给 /datavol1 路径,且访问控制类型设置为 “slag”。
vserver security file-directory policy task add -vserver vs1 -policy-name policy1 -path /datavol1 -access-control slag -security-type ntfs -ntfs-mode propagate -ntfs-sd sd1Vserver: vs1 Policy: policy1 Index File/Folder Access Security NTFS NTFS Security Path Control Type Mode Descriptor Name ----- ----------- --------------- -------- ---------- --------------- 1 /datavol1 slag ntfs propagate sd1
在此示例中,该命令的输出显示已将存储级别访问防护安全性应用于 NTFS 卷 /datavol1。即使默认 DACL 允许对所有人进行完全控制,存储级别访问防护安全性也会限制(和审核)对存储级别访问防护设置中定义的组的访问。
vserver security file-directory show -vserver vs1 -path /datavol1Vserver: vs1 File Path: /datavol1 File Inode Number: 77 Security Style: ntfs Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - Unix User Id: 0 Unix Group Id: 0 Unix Mode Bits: 777 Unix Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor Control:0x8004 Owner:BUILTIN\Administrators Group:BUILTIN\Administrators DACL - ACEs ALLOW-Everyone-0x1f01ff ALLOW-Everyone-0x10000000-OI|CI|IO Storage-Level Access Guard security SACL (Applies to Directories): AUDIT-EXAMPLE\Domain Users-0x120089-FA AUDIT-EXAMPLE\engineering-0x1f01ff-SA DACL (Applies to Directories): ALLOW-EXAMPLE\Domain Users-0x120089 ALLOW-EXAMPLE\engineering-0x1f01ff ALLOW-NT AUTHORITY\SYSTEM-0x1f01ff SACL (Applies to Files): AUDIT-EXAMPLE\Domain Users-0x120089-FA AUDIT-EXAMPLE\engineering-0x1f01ff-SA DACL (Applies to Files): ALLOW-EXAMPLE\Domain Users-0x120089 ALLOW-EXAMPLE\engineering-0x1f01ff ALLOW-NT AUTHORITY\SYSTEM-0x1f01ff