NFS: Anonymous access should be disabled

  • Article

Updated: February 2, 2011

Applies To: Windows Server 2008 R2

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the File Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2

Product/Feature

File Services

Severity

Warning

Category

Security

Issue

Anonymous access is enabled on a Network File System (NFS) share.

Impact

Anonymous users can access the share, which could be a security risk because the users could view files they shouldn't have permission to view. If write access is enabled, anonymous users could place viruses or other malicious software on the share.

Resolution

Disable anonymous access and use an identity mapping solution such as Active Directory Domain Services (AD DS), Active Directory Lightweight Directory Services (AD LDS), User Name Mapping Service, or any RFC2307-based solution.

By default, Services for NFS does not allow anonymous users to access a shared directory. When you share a directory, you can select the option to allow anonymous access to the directory.

Membership in the local Administrators group, or equivalent, on the server that you plan to configure, is the minimum required to complete these procedures.

To disable anonymous access on a share

  1. Open an elevated Command Prompt window. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. At the command prompt, type: nfsshare –o anon=nosharename

To configure Services for NFS to use an identity mapping source

  1. Open an elevated Command Prompt window. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. To display and configure identity mapping settings, type: nfsadmin mapping

  3. Do one of the following:

    • To configure identity mapping settings for a User Name Mapping server, type: **nfsadmin mapping config maplookup=yes mapsvr=**computer

    • To configure identity mapping settings for an LDAP server, type: **nfsadmin mapping config adlookup=yes addomain=**domainname

Additional references

Allow Root and Anonymous Access to Resources by NFS Clients (https://technet.microsoft.com/en-us/library/cc753808.aspx)