File Protections on DFS

2011/06/27 by ITSRM

These subsidiary rules to Operational Circular N°5 are for users of the DFS file system.

At CERN, owners of any kind of data (e.g. files, documents, Web pages), including users of file services, must protect their data from anonymous read and/or write access (see below for a definition of "anonymous").

DFS Data Protection Policy

In order to protect DFS data, the following access controls (ACLs) must be applied to all user folders hosted on DFS. Here, "HOME" is the path to the home folder of a particular user or his workspace (i.e. "\\cern.ch\dfs\User\NAME" or "\\cern.ch\dfs\Workspaces\NAME").

  1. For all anonymous users, the default ACLs of the folder "\\cern.ch\dfs\HOME" must not be more permissive than "List"/"Traverse" rights;
  2. For all anonymous users, the default ACLs of "\\cern.ch\dfs\HOME\Public" and all its sub-folders must not be more permissive than either combined "List"/"Read"/"Traverse" or "Create"/"List"/"Traverse"/"Write" rights;
  3. For all anonymous users, the default ACLs of any other folder (e.g. "Contacts", "Desktop", "Favorites", "Links", "My Documents", ...) must not assign any rights;
  4. For all anonymous users, the default ACLs of any folder must not allow for simultaneous "Write" and "Read" rights.

From these rules follows that all information supposed to be widely public must be stored in the "\\cern.ch\dfs\HOME\Public" folder.

However, the data owner (i.e. the user) is still ultimately responsible for the proper ACLs of his folders and files. The DFS service is supposed to assist him with this, but holds no responsibility.

Definition of "anonymous"

Access to a file or folder is defined to be "anonymous" when the group of people permitted such access can be potentially very large. For DFS, permissions for one or more of the following access control groups are considered to be "anonymous users":

Everyone
Authenticated Users Users
[DeviceName]\Users
CERN\Domain Admins
NT Authority\*
ANONYMOUS LOGON
CREATOR OWNER
SYSTEM
S-15* (retired SIDs)

However, the user [DeviceName]\Adminitrators should always be granted full access to the data in order to perform proper back-ups.

More Information

The IT/OIS Sharepoint site provides detailed descriptions of DFS ALCs and on best practices to manage permissions.