HP CIFS Server Administrator's Guide (5900-1282, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software

131

132

133

134

135

136

137

138

139

140

10 Securing HP CIFS Server

This chapter describes the network security methods that you can use to protect your HP CIFS

Server. It includes the following sections:

• “Security Protection Methods” (page 133)

• “Automatically Receiving HP Security Bulletins” (page 136)

Security Protection Methods

HP CIFS Server provides a flexible approach to network security and implements the protocols to

support more secure Microsoft Windows file and print services.

You can secure HP CIFS Server from connections that originate from outside the local network by

using host-based protection. You can also use interface-based exclusion, so that

SMBD binds only to specifically permitted interfaces. It is also possible to set specific share or

resource-based exclusions: for example, you can set a specific denial on the IPC$ share.

You can also set access control entries (ACEs) in an access control list (ACL) on the shares to secure

the HP CIFS Server.

Restricting Network Access

You can use host-based restrictions , interface-based protection, a firewall, or IPC$ share-based

denials to restrict network access and secure your HP CIFS Server. This section documents the

information on how to configure and use these protection methods.

Using Host Restrictions

In many installations, the threat to server security comes from outside the immediate network. By

default, the HP CIFS Server accepts connections from any host, so you might want to set the hosts

allow and hosts deny options in the smb.conf configuration file to only allow access to your

server from a specific range of hosts.

An Example

The following configuration example allows SMB connections only from 'localhost' (your own

computer) and from the two private networks, 192.168.2 and 192.168.3. All other connections

are refused as soon as the client sends its first packet. The refusal message is displayed as a not

listening on called name error:

hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24

hosts deny = 0.0.0.0/0

Using Interface Protection

By default, the HP CIFS Servers accepts connections on any network interface that it finds on your

system. That means if you have a ISDN line or a PPP connection to the internet, then the HP CIFS

server can accept connections on those links. You can use the interfaceconfiguration options

to change the interface behavior.

Interface Protection Example

For example, you can change the interface behavior using options as the followings:

interface = lan* lo0

bind interface only = yes

In above example, the HP CIFS Server only listens for connections on interfaces with a name starting

with lan such as lan0, lan1, plus on the loopback interface called lo0. The interface name you

need to use depends on what OS you are using. If you use a LAN interface and someone tries to

Security Protection Methods 133