Security Strategy

  • Article

Dfs does not enforce access control lists (ACLs) on the Dfs namespace, Dfs roots, or Dfs links beyond what is enforced by the underlying physical storage. So when a user gains access to a file or folder through a Dfs namespace, the only ACLs that apply are those that are in place on the destination shared folder. Standard Windows 2000 share, folder, and file permissions apply at the final destination.

If a user does not have sufficient permissions for a shared folder at an intermediate point in the Dfs namespace, that folder appears empty to the user.

Because permissions are applied on the underlying shares, files, and folders, Windows 2000 guidelines must be used to apply the ACLs. In most cases, avoid using individual accounts and use Windows 2000 groups instead to specify the ACLs.

Remember that if you have replicas set up for a Dfs link, you must ensure that the ACLs that are applied to the physical resources are the same for all replicas. If you use FRS to synchronize replica content, the file ACLs are replicated automatically as well.

As an administrator, you must be a member of the Domain Admins global group to administer a domain-based Dfs namespace. For a stand-alone Dfs namespace, you need only be an administrator for the server hosting it. There is no finer level of granularity for administering Dfs. Note that to add a shared folder to a Dfs link in a Dfs namespace, you do not need explicit permissions to that shared folder. Of course, any users who want access to that replica would require the necessary permissions.

Because a domain-based Dfs namespace exists at a domain level and because you must be a member of the Domain Admins group to administer a Dfs namespace, Dfs administration falls into a model of centralized administration. However, even if Dfs namespaces are centrally administered, the actual shared folders can be administered in a manner that is appropriate for the enterprise. Dfs administration does not affect the administrative model for the underlying shared folders. Centralized administration of the shared folders and distributed administration of shared folders work equally well.