Distributed File System and security

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Distributed File System and security

Aside from granting the necessary permissions, Distributed File System (DFS) service does not implement any additional security measures, beyond what the Windows Server 2003 family system provides. The permissions assigned to a DFS root or DFS link determine who can add a new DFS link.

Permissions to a target are not related to the DFS topology. For example, suppose there is a DFS link named MarketingDocs and you have appropriate permissions to access a particular target to which MarketingDocs points. In this case, you can then access all other targets in the set of targets, regardless of whether or not you have permissions to access those other targets. However, having permission to access these targets does determine whether or not you have access to any of the information within the targets. Such access is determined by standard Windows Server 2003 family security controls.

In summary, security is enforced by the underlying file system when a user tries to access a target and its contents. Thus, a FAT volume provides share-level security on files, while an NTFS volume provides full Windows Server 2003 family security. To maintain security, you should use NTFS and file sharing permissions to secure any shared folders used by DFS so that only authorized users can access them.

For more information on setting permissions, see Securing shared resources. For security recommendations for DFS, see Best practices for Distributed File System (DFS).