Export (0) Print
Expand All

NFS: Anonymous access should be disabled

Published: April 27, 2010

Updated: February 2, 2011

Applies To: Windows Server 2008 R2

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the File Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

 

Operating System

Windows Server 2008 R2

Product/Feature

File Services

Severity

Warning

Category

Security

Anonymous access is enabled on a Network File System (NFS) share.

Anonymous users can access the share, which could be a security risk because the users could view files they shouldn't have permission to view. If write access is enabled, anonymous users could place viruses or other malicious software on the share.

Disable anonymous access and use an identity mapping solution such as Active Directory Domain Services (AD DS), Active Directory Lightweight Directory Services (AD LDS), User Name Mapping Service, or any RFC2307-based solution.

By default, Services for NFS does not allow anonymous users to access a shared directory. When you share a directory, you can select the option to allow anonymous access to the directory.

Membership in the local Administrators group, or equivalent, on the server that you plan to configure, is the minimum required to complete these procedures.

  1. Open an elevated Command Prompt window. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. At the command prompt, type: nfsshare –o anon=nosharename

  1. Open an elevated Command Prompt window. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. To display and configure identity mapping settings, type: nfsadmin mapping

  3. Do one of the following:

    • To configure identity mapping settings for a User Name Mapping server, type: nfsadmin mapping config maplookup=yes mapsvr=computer

    • To configure identity mapping settings for an LDAP server, type: nfsadmin mapping config adlookup=yes addomain=domainname

Allow Root and Anonymous Access to Resources by NFS Clients (http://technet.microsoft.com/en-us/library/cc753808.aspx)

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft