File Protections on DFS

2011/06/27 by ITSRM

These subsidiary rules to Operational Circular N°5 are for users of the DFS file system.

At CERN, owners of any kind of data (e.g. files, documents, Web pages), including users of file services, must protect their data from anonymous read and/or write access (see below for a definition of "anonymous").

DFS Data Protection Policy

In order to protect DFS data, the following access controls (ACLs) must be applied to all user folders hosted on DFS. Here, "HOME" is the path to the home folder of a particular user or his workspace (i.e. "\\cern.ch\dfs\User\NAME" or "\\cern.ch\dfs\Workspaces\NAME").

1. For all anonymous users, the default ACLs of the folder "\\cern.ch\dfs\HOME" must not be more permissive than "List"/"Traverse" rights;
2. For all anonymous users, the default ACLs of "\\cern.ch\dfs\HOME\Public" and all its sub-folders must not be more permissive than either combined "List"/"Read"/"Traverse" or "Create"/"List"/"Traverse"/"Write" rights;
3. For all anonymous users, the default ACLs of any other folder (e.g. "Contacts", "Desktop", "Favorites", "Links", "My Documents", ...) must not assign any rights;
4. For all anonymous users, the default ACLs of any folder must not allow for simultaneous "Write" and "Read" rights.

From these rules follows that all information supposed to be widely public must be stored in the "\\cern.ch\dfs\HOME\Public" folder.

However, the data owner (i.e. the user) is still ultimately responsible for the proper ACLs of his folders and files. The DFS service is supposed to assist with this, but holds no responsibility.

Definition of "anonymous"

Access to a file or folder is defined to be "anonymous" when the group of people permitted such access can be potentially very large. For DFS, permissions for one or more of the following access control groups are considered to be "anonymous users":

Everyone
Authenticated Users Users
[DeviceName]\Users
CERN\Domain Admins
NT Authority\*
ANONYMOUS LOGON
CREATOR OWNER
SYSTEM
S-15* (retired SIDs)

However, the user [DeviceName]\Adminitrators should always be granted full access to the data in order to perform proper back-ups.

More Information

The IT/OIS Sharepoint site provides detailed descriptions of DFS ALCs and on best practices to manage permissions.

CERN Computing Rules

• Operational Circular Nº5
• Aims of OC5
• Personal use policy
• Violation of rules

OC5 Subsidiary Rules & Guidelines

• Computer accounts
• Data Handling Policy
• Data Retention Policy
• Outer Perimeter Firewall Openings
• Properly destroying data
• Protecting files on AFS, DFS and EOS
• Running Windows PCs
• Security Baselines
• Social Media Guidelines
• Third party access to users' accounts and data
• Using file services
• Using the e-mail service
• Using the network
• Using webcams

Software Restrictions

• OTP Generators
• TeamViewer
• VPNs and other overlay networks

Other Useful Information

• Licensing CERN Software
• Office of Data Privacy Protection
• Open Hardware Repository

© Copyright 2024 CERN Computer Security Team

e-mail: Computer.Security@cern.ch Please use the following PGP key to encrypt your messages: ID: 0x954CE234B4C6ED84 429D 6046 0EBE 8006 B04C DF02 954C E234 B4C6 ED84

Phone: +41 22 767 0500 Please listen to the recorded instructions.