Publishers of technology books, eBooks, and videos for creative people

Home > Articles > Apple > Operating Systems

  • Print
  • + Share This
  • 💬 Discuss

Controlling Access to Shared Folders

In many cases, you won’t want everyone to have access to your file services. There are a few simple steps that can be followed to greatly increase the security of your file server.

Reduce the Number of File-Sharing Services

First and foremost is reducing the number of services itself. Every service that’s running on your server represents a potential point of entry for an unwanted visitor. Reducing the number of services on your server will also reduce this risk. For example, if you have only Mac OS X computers connecting to your server, you probably don’t need the SMB or FTP services running. Similarly, if you’re only providing services to Windows computers, the AFP and FTP services likely won’t be used and can be stopped. In most cases, the FTP service should only be used when you need to provide access to the broadest set of computers external to your organization.

Remove Guest Access for Every Share Point

The next thing to consider is guest access. If you are sharing files only with members of your organization who have accounts on your server, or if everyone is bound to the same directory server, you should consider removing guest access. Remember that there are a few places you can set this. Follow these steps to remove guest access for every protocol on every share point:

  1. Open Server Admin and connect to your server.
  2. Click the File Sharing button in the toolbar.
  3. Click the Share Points button just below the toolbar.
  4. Select a share point.
  5. Click the Share Points pane in the bottom half of the window.
  6. Click the Protocol Options button.

    A dialog will appear with options for each of the protocol options that apply to that share.

  7. For each protocol, deselect “Allow guest access.”
  8. Click OK.
  9. Click Save.
  10. Repeat for every share point on your server.

Remove Guest Access for Each Protocol

Remove guest access for each protocol itself. Though disabling guest access for each share point, or for the entire protocol itself, will accomplish what you’re looking for, it’s best to disable it in both places to minimize the risk of reactivation.

  1. In Server Admin, click the AFP service in the left column.
  2. Click the Settings button in the toolbar.
  3. Click the Access tab.
  4. Deselect “Enable Guest access.”
  5. Click Save.
  6. Repeat the same steps for the FTP and SMB services.

Set Up SACLs

Review who has access to connect to each of your file-sharing services. This access is controlled through the use of SACLs, a topic described in more detail in Chapter 2, “Authenticating and Authorizing Accounts.” SACLs require explicit permission to connect to your file server. Each user, or a group the user belongs to, will need to be registered as being allowed to use a given service. You can set up SACLs using these steps:

  1. In Server Admin, select your server name in the left column.
  2. Click Access in the toolbar.
  3. Select the services you wish to restrict.
  4. Determine which users and/or groups should have access to that service.
  5. Click Save.

Once complete, review the file system permissions on the folders that are your share points. The permissions of the folders that are your share points will control what share points are listed on the client when they connect to your server. In many cases, you should also review the permissions of the enclosed folders because a larger group will often have access to the share point than will have access to all of its subfolders.

  • + Share This
  • 🔖 Save To Your Account

Discussions

comments powered by Disqus