Skip to main content
本繁體中文版使用機器翻譯,譯文僅供參考,若與英文版本牴觸,應以英文版本為準。

設定集中存取原則、以保護CIFS伺服器上的資料安全

貢獻者

您必須採取幾個步驟、才能使用集中存取原則來保護CIFS伺服器上的資料存取安全、包括在CIFS伺服器上啟用動態存取控制(DAC)、在Active Directory中設定集中存取原則、將集中存取原則套用至含GPO的Active Directory容器、 並在CIFS伺服器上啟用GPO。

開始之前
  • Active Directory必須設定為使用集中存取原則。

  • 您必須對Active Directory網域控制器擁有足夠的存取權限、才能建立集中存取原則、以及建立GPO並套用至包含CIFS伺服器的容器。

  • 您必須對儲存虛擬機器(SVM)擁有足夠的管理存取權限、才能執行必要的命令。

關於這項工作

集中存取原則會定義並套用至Active Directory上的群組原則物件(GPO)。如需設定集中存取原則和GPO的相關指示、請參閱Microsoft TechNet資源庫。

步驟
  1. 如果 SVM 尚未使用啟用動態存取控制、請在 SVM 上啟用動態存取控制 vserver cifs options modify 命令。

    vserver cifs options modify -vserver vs1 -is-dac-enabled true

  2. 如果尚未使用啟用群組原則物件( GPO )、請在 CIFS 伺服器上啟用這些物件 vserver cifs group-policy modify 命令。

    vserver cifs group-policy modify -vserver vs1 -status enabled

  3. 在Active Directory上建立集中存取規則和集中存取原則。

  4. 建立群組原則物件(GPO)、在Active Directory上部署集中存取原則。

  5. 將GPO套用至CIFS伺服器電腦帳戶所在的容器。

  6. 使用手動更新套用至 CIFS 伺服器的 GPO vserver cifs group-policy update 命令。

    vserver cifs group-policy update -vserver vs1

  7. 使用確認 GPO 中央存取原則已套用至 CIFS 伺服器上的資源 vserver cifs group-policy show-applied 命令。

    下列範例顯示預設網域原則有兩個套用至CIFS伺服器的集中存取原則:

    vserver cifs group-policy show-applied

    Vserver: vs1
    -----------------------------
        GPO Name: Default Domain Policy
           Level: Domain
          Status: enabled
      Advanced Audit Settings:
          Object Access:
              Central Access Policy Staging: failure
      Registry Settings:
          Refresh Time Interval: 22
          Refresh Random Offset: 8
          Hash Publication Mode for BranchCache: per-share
          Hash Version Support for BranchCache: all-versions
      Security Settings:
          Event Audit and Event Log:
              Audit Logon Events: none
              Audit Object Access: success
              Log Retention Method: overwrite-as-needed
              Max Log Size: 16384
          File Security:
              /vol1/home
              /vol1/dir1
          Kerberos:
              Max Clock Skew: 5
              Max Ticket Age: 10
              Max Renew Age:  7
          Privilege Rights:
              Take Ownership: usr1, usr2
              Security Privilege: usr1, usr2
              Change Notify: usr1, usr2
          Registry Values:
              Signing Required: false
          Restrict Anonymous:
              No enumeration of SAM accounts: true
              No enumeration of SAM accounts and shares: false
              Restrict anonymous access to shares and named pipes: true
              Combined restriction for anonymous user: no-access
          Restricted Groups:
              gpr1
              gpr2
      Central Access Policy Settings:
          Policies: cap1
                    cap2
    
        GPO Name: Resultant Set of Policy
           Level: RSOP
      Advanced Audit Settings:
          Object Access:
              Central Access Policy Staging: failure
      Registry Settings:
          Refresh Time Interval: 22
          Refresh Random Offset: 8
          Hash Publication Mode for BranchCache: per-share
          Hash Version Support for BranchCache: all-versions
      Security Settings:
          Event Audit and Event Log:
              Audit Logon Events: none
              Audit Object Access: success
              Log Retention Method: overwrite-as-needed
              Max Log Size: 16384
          File Security:
              /vol1/home
              /vol1/dir1
          Kerberos:
              Max Clock Skew: 5
              Max Ticket Age: 10
              Max Renew Age:  7
          Privilege Rights:
              Take Ownership: usr1, usr2
              Security Privilege: usr1, usr2
              Change Notify: usr1, usr2
          Registry Values:
              Signing Required: false
          Restrict Anonymous:
              No enumeration of SAM accounts: true
              No enumeration of SAM accounts and shares: false
              Restrict anonymous access to shares and named pipes: true
              Combined restriction for anonymous user: no-access
          Restricted Groups:
              gpr1
              gpr2
      Central Access Policy Settings:
          Policies: cap1
                    cap2
    2 entries were displayed.