Blocking User Access

10/16/2024 Contributors

Once an attack is detected, Workload Security can stop the attack by blocking user access to the file system. Access can be blocked automatically, using Automated Response Policies or manually from the alert or user details pages.

When blocking user access, you should define a blocking time period. After the selected time period ends, user access is automatically restored.
Access blocking is supported for both SMB and NFS protocols.

User is directly blocked for SMB and IP address of the host machines causing the attack will be blocked for NFS. Those machine IP addresses will be blocked from accessing any of the Storage Virtual Machines (SVMs) monitored by Workload Security.

For example, let’s say Workload Security manages 10 SVMs and the Automatic Response Policy is configured for four of those SVMs. If the attack originates in one of the four SVMs, the user’s access will be blocked in all 10 SVMs. A Snapshot is still taken on the originating SVM.

If there are four SVMs with one SVM configured for SMB, one configured for NFS, and the remaining two configured for both NFS and SMB, all the SVMs will be blocked if the attack originates in any of the four SVMs.

Prerequisites for User Access Blocking

Cluster level credentials are needed for this feature to work.

If you are using cluster administration credentials, no new permissions are needed.

If you are using a custom user (for example, csuser) with permissions given to the user, then follow the steps below to give permissions to Workload Security to block user.

For csuser with cluster credentials, do the following from the ONTAP command line:

security login role create -role csrole -cmddirname "vserver export-policy rule" -access all
security login role create -role csrole -cmddirname set -access all
security login role create -role csrole -cmddirname "vserver cifs session" -access all
security login role create -role csrole -cmddirname "vserver services access-check authentication translate" -access all
security login role create -role csrole -cmddirname "vserver name-mapping" -access all

Be sure to review the Permissions section of the Configuring the ONTAP SVM Data Collector page as well.

How to enable the feature?

In Workload Security, navigate to Workload Security > Policies > Automated Response Policies. Choose +Attack Policy.
Select (check) Block User File Access.

How to set up Automatic user access blocking?

Create a new Attack Policy or edit an existing Attack policy.
Select the SVMs on which the attack policy should be monitored.
Click on the checkbox “Block User File Access”. The feature will be enabled when this is selected.
Under “Time Period” select the time until which the blocking should be applied.
To test automatic user blocking,, you can simulate an attack via a simulated script.

How to know if there are blocked users in the system?

In the alert lists page, a banner on the top of screen will be displayed in case any user is blocked.
Clicking on the banner will take you to the “Users” page, where the list of blocked users can be seen.
In the “Users” page, there in a column named “User/IP Access”. In that column, the current state of user blocking will be displayed.

Restrict and manage user access manually

You can go to the alert details or user details screen and then manually block or restore a user from those screens.

User Access Limitation History

In the alert details and user details page, in the user panel, you can view an audit of the user’s access limitation history: Time, Action (Block, Unblock), duration, action taken by, manual/automatic, and affected IPs for NFS.

How to disable the feature?

At any time, you can disable the feature. If there are restricted users in the system, you must restore their access first.

In Workload Security, navigate to Workload Security > Policies > Automated Response Policies. Choose +Attack Policy.
De-select (uncheck) Block User File Access.

The feature will be hidden from all pages.

Manually Restore IPs for NFS

Use the following steps to manually restore any IPs from ONTAP if your Workload Security trial expires, or if the agent/collector is down.

List all export policies on an SVM.

contrail-qa-fas8020::> export-policy rule show -vserver <svm name>
             Policy          Rule    Access   Client                RO
Vserver      Name            Index   Protocol Match                 Rule
------------ --------------- ------  -------- --------------------- ---------
svm0        default         1       nfs3,    cloudsecure_rule,     never
                                    nfs4,    10.11.12.13
                                    cifs
svm1        default         4       cifs,    0.0.0.0/0             any
                                    nfs
svm2        test            1       nfs3,    cloudsecure_rule,     never
                                    nfs4,    10.11.12.13
                                    cifs
svm3        test            3       cifs,    0.0.0.0/0             any
                                    nfs,
                                    flexcache
4 entries were displayed.

Delete the rules across all policies on the SVM which have “cloudsecure_rule” as Client Match by specifying its respective RuleIndex. Workload Security rule will usually be at 1.
```
contrail-qa-fas8020::*> export-policy rule delete -vserver <svm name> -policyname * -ruleindex 1
```

Ensure Workload Security rule is deleted (optional step to confirm).

contrail-qa-fas8020::*> export-policy rule show -vserver <svm name>
             Policy          Rule    Access   Client                RO
Vserver      Name            Index   Protocol Match                 Rule
------------ --------------- ------  -------- --------------------- ---------
svm0         default         4       cifs,    0.0.0.0/0             any
                                    nfs
svm2         test            3       cifs,    0.0.0.0/0             any
                                    nfs,
                                    flexcache
2 entries were displayed.

Manually Restore Users for SMB

Use the following steps to manually restore any users from ONTAP if your Workload Security trial expires, or if the agent/collector is down.

You can get the list of users blocked in Workload Security from the users list page.

Login to the ONTAP cluster (where you want to unblock users) with cluster admin credentials. (For Amazon FSx, login with FSx credentials).

Run the following command to list all users blocked by Workload Security for SMB in all SVMs:

vserver name-mapping show -direction win-unix -replacement " "

Vserver:   <vservername>
Direction: win-unix
Position Hostname         IP Address/Mask
-------- ---------------- ----------------
1       -                 -                   Pattern: CSLAB\\US040
                                         Replacement:
2       -                 -                   Pattern: CSLAB\\US030
                                         Replacement:
2 entries were displayed.

In the above output, 2 users were blocked (US030, US040) with domain CSLAB.

Once we identify the position from the above output, run the following command to unblock the user:
```
vserver name-mapping delete -direction win-unix -position <position>
```

Confirm the users are unblocked by running the command:

vserver name-mapping show -direction win-unix -replacement " "

No entries should be displayed for the users previously blocked.

Troubleshooting

Problem	Try This
Some of the users are not getting restricted, though there is an attack.	1. Make sure that the Data Collector and Agent for the SVMs are in Running state. Workload Security won’t be able to send commands if the Data Collector and Agent are stopped. 2. This is because the user may have accessed the storage from a machine with a new IP which has not been used before. Restricting happens via IP address of the host through which the user is accessing the storage. Check in the UI (Alert Details > Access Limitation History for This User > Affected IPs) for the list of IP addresses which are restricted. If the user is accessing storage from a host which has an IP different from the restricted IPs, then the user will still be able to access the storage through the non-restricted IP. If the user is trying to access from the hosts whose IPs are restricted, then the storage won’t be accessible.
Manually clicking on Restrict Access gives “IP addresses of this user have already been restricted”.	The IP to be restricted is already being restricted from another user.
Policy could not be modified. Reason: not authorized for that command.	Check if using csuser, permissions are given to the user as mentioned above.
User (IP Address) blocking for NFS works, but for SMB / CIFS, I see an error message: “SID to DomainName transformation failed. Reason timeout: socket is not established”	This can happen is csuser does not have permission to perform ssh. (Ensure connection at cluster level, then ensure user can perform ssh). csuser role requires these permissions. https://docs.netapp.com/us-en/cloudinsights/cs_restrict_user_access.html#prerequisites-for-user-access-blocking For csuser with cluster credentials, do the following from the ONTAP command line: security login role create -role csrole -cmddirname "vserver export-policy rule" -access all security login role create -role csrole -cmddirname set -access all security login role create -role csrole -cmddirname "vserver cifs session" -access all security login role create -role csrole -cmddirname "vserver services access-check authentication translate" -access all security login role create -role csrole -cmddirname "vserver name-mapping" -access all If csuser is not used and if admin user at cluster level is used, make sure that the admin user has ssh permission to ONTAP.
I'm getting the Error Message SID translate failed. Reason:255:Error: command failed: not authorized for that commandError: "access-check" is not a recognized command, when a user should have been blocked.	This can happen when csuser does not have correct permissions. See Prerequisites for User Access Blocking for more information. After applying the permissions, it is recommended to restart the ONTAP data collector and User Directory data collector. The required permission commands are listed below. ---- security login role create -role csrole -cmddirname "vserver export-policy rule" -access all security login role create -role csrole -cmddirname set -access all security login role create -role csrole -cmddirname "vserver cifs session" -access all security login role create -role csrole -cmddirname "vserver services access-check authentication translate" -access all security login role create -role csrole -cmddirname "vserver name-mapping" -access all ----

Problem

Try This

Some of the users are not getting restricted, though there is an attack.

1. Make sure that the Data Collector and Agent for the SVMs are in Running state. Workload Security won’t be able to send commands if the Data Collector and Agent are stopped.

2. This is because the user may have accessed the storage from a machine with a new IP which has not been used before.
Restricting happens via IP address of the host through which the user is accessing the storage. Check in the UI (Alert Details > Access Limitation History for This User > Affected IPs) for the list of IP addresses which are restricted. If the user is accessing storage from a host which has an IP different from the restricted IPs, then the user will still be able to access the storage through the non-restricted IP. If the user is trying to access from the hosts whose IPs are restricted, then the storage won’t be accessible.

Manually clicking on Restrict Access gives “IP addresses of this user have already been restricted”.

The IP to be restricted is already being restricted from another user.

Policy could not be modified. Reason: not authorized for that command.

Check if using csuser, permissions are given to the user as mentioned above.

User (IP Address) blocking for NFS works, but for SMB / CIFS, I see an error message: “SID to DomainName transformation failed. Reason timeout: socket is not established”

This can happen is csuser does not have permission to perform ssh. (Ensure connection at cluster level, then ensure user can perform ssh). csuser role requires these permissions.

https://docs.netapp.com/us-en/cloudinsights/cs_restrict_user_access.html#prerequisites-for-user-access-blocking

For csuser with cluster credentials, do the following from the ONTAP command line:

security login role create -role csrole -cmddirname "vserver export-policy rule" -access all
security login role create -role csrole -cmddirname set -access all
security login role create -role csrole -cmddirname "vserver cifs session" -access all
security login role create -role csrole -cmddirname "vserver services access-check authentication translate" -access all
security login role create -role csrole -cmddirname "vserver name-mapping" -access all

If csuser is not used and if admin user at cluster level is used, make sure that the admin user has ssh permission to ONTAP.

I'm getting the Error Message SID translate failed.
Reason:255:Error: command failed: not authorized for that commandError: "access-check" is not a recognized command, when a user should have been blocked.

This can happen when csuser does not have correct permissions. See Prerequisites for User Access Blocking for more information.

After applying the permissions, it is recommended to restart the ONTAP data collector and User Directory data collector. The required permission commands are listed below.

----
security login role create -role csrole -cmddirname "vserver export-policy rule" -access all
security login role create -role csrole -cmddirname set -access all
security login role create -role csrole -cmddirname "vserver cifs session" -access all
security login role create -role csrole -cmddirname "vserver services access-check authentication translate" -access all
security login role create -role csrole -cmddirname "vserver name-mapping" -access all
----