Planning Cluster Security

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

When planning to secure clustered file servers, follow these guidelines:

  • After you create a folder by using Windows Explorer, verify that the Cluster service account has the Read permission on the folder so that you can share the folder properly by using Cluster Administrator. (Do not share the folder by using Windows Explorer.)

  • Use Cluster Administrator to set share permissions. If you change file share permissions using Windows Explorer or My Computer, instead of using Permissions on the Parameters tab in Cluster Administrator, the permissions are lost when the resource is taken offline.

Note

  • When you set file share permissions by using Cluster Administrator, the default permissions give the Everyone group the Read permission. When you set file share permissions by using Cluster.exe, the Everyone group has the Full Control permission.

    • To secure File Share resources on the local server, use Windows Explorer to assign NTFS permissions on the physical folder, because share permissions apply only when users connect to the clustered file server across the network.

    • Do not assign NTFS permissions to local groups on clustered file servers. These permissions will have no meaning when the clustered disk resource is moved to another server. Therefore, always assign permissions to a domain local group.

    • By default, access to cluster file shares is disabled to anonymous users. To allow anonymous access to specific file shares, you can either enable Kerberos V5 authentication on the Network Name resource that is associated with the file share or you can change the local security policy setting. For more information about configuring these Kerberos properties, see "Enable Kerberos authentication for virtual servers" in Help and Support Center for Windows Server 2003.

    • When you create File Share resources by using the Share Subdirectories option, the subdirectories inherit the permissions of the parent. If you are using the subdirectories as user folders, and you want to allow only the user and administrator to access the folder, set NTFS permissions on each subfolder.

    • To enable EFS on a clustered file server, you must perform some steps to configure the environment correctly. These steps are described in "Create a cluster-managed encrypted file share" in Help and Support Center for Windows Server 2003.

For more information about server cluster security, see "Best practices for securing server clusters" in Help and Support Center for Windows Server 2003.