Provide user-level security
With Server for NFS, you can control access by users and groups to
network files system (NFS) resources. To enable this, you must
install Server for NFS Authentication on the primary and backup
domain controllers of all domains containing users to whom you want
to provide access. (If you do not use Server for NFS
Authentication, all users will access NFS resources as anonymous
users.) You must also install User Name Mapping on one computer in
your network to associate Windows user accounts with UNIX user
accounts.
Secure files
All files shared through Server for NFS should be located on drives
formatted for the NTFS file system. This allows you to provide
file-level security. Also, when you share a directory through
Server for NFS, make sure that directory and file permissions
provide appropriate access control for anonymous users. In
addition, when sharing the directory, use host-level access control
to provide an additional level of security to protect the files in
the directory.
Secure new drives
When you add a new drive to a computer running Server for NFS, be
sure to modify the permissions protecting the root directory of the
drive to ensure that Everybody and other untrusted users cannot
write to the directory. This will prevent untrusted users from
being able to compromise Server for NFS security protecting shared
directories on the drive.
Allow users to disconnect before stopping the
service
Before you stop Server for NFS or uninstall it, notify users who
are connected to NFS shares that you are about the stop the
service. You can then stop the service after the users have had the
opportunity to close open files and disconnect from shared
directories.
Use naming conventions to identify shares with EUC
encoding
If a directory is shared with one type of Extended UNIX Code (EUC)
encoding (such as EUC-JP), and a client configured to use a
different EUC encoding (such as EUC-TW) attempts to connect to the
shared directory, unexpected results can occur. To prevent this,
establish a naming convention to use when sharing directories with
EUC encoding so users of client computers can know how shared
directories are encoded.
Protect configuration files
If you create configuration files (such as a character translation
file or an audit log file), be sure to protect them with a
discretionary access control list (DACL) that grants Full Control
to the built-in System account and to the Administrators group. The
DACL should contain no other entries.