- Notes, cautions, and warnings
- Preface
- Introduction
- Access Control
- Access control settings
- Security for management access
- Authentication
- Authorization
- Component access controls
- Data security settings
- Password policy
- Physical security controls
- Login banner and message of the day
- Logging
- Communication Security
- Communication security settings
- Port usage
- Ports used by Unisphere components on VNX for block
- How VNX for file works on the network
- Network encryption
- Management support for TLS communications on VNX2 systems
- SSL certificates
- Planning considerations for Public Key Infrastructure on VNX for file
- IP packet reflect on VNX for file systems
- Effect of filtering management network
- vSphere Storage API for Storage Awareness (VASA) support
- Special configurations
- Secure Remote Procedure Call
- Other security considerations
- Data Security Settings
- Data at Rest Encryption overview
- Data at Rest Encryption feature activation
- Encryption status
- Backup keystore file
- Data in place upgrade
- Hot spare operations
- Adding a disk drive to a VNX with encryption activated
- Removing a disk drive from a VNX with encryption enabled
- Replacing a chassis and SPs from a VNX with encryption enabled
- Security Maintenance
- Advanced Management Capabilities
- Secure deployment and usage settings
- TLS cipher suites
- LDAP-based directory server configuration
- VNX for file CLI role-based access
- VNX for file CLI security configuration operations
- Configuring password policy
- Configuring session timeout
- Protect session tokens
- Configuring network encryption and authentication using the SSL protocol
- Configuring PKI
- Creating the certificate provided by the persona
- Using the Control Station as the CA
- Obtaining CA certificates
- Generate a key set and certificate request
- Send the certificate request to the CA
- Import a CA-signed certificate
- List the available CA certificates
- Acquire a CA certificate
- Import a CA certificate
- Generate a new Control Station CA certificate
- Display the certificate
- Distribute the Control Station CA certificate
- Request and Install Customer-Supplied Certificates for Control Station
- Managing PKI
- Customize a login banner
- Create a MOTD
- Restrict anonymous root login
- Locking accounts after a specific number of failed logins
- VNX for block SSL certificate import
EMC® VNX® Series Security Configuration Guide for VNX
VNX for file CIFS network services
When CIFS network services are enabled on VNX for file and configured to work with an existing Windows infrastructure (for example, Microsoft's Active Directory), a broad set of network services (and their corresponding ports) must be enabled. Some of these ports (137, 138, and 139 on the Data Mover) exist to support the older Windows systems (Windows NT and earlier). Other ports are used to communicate with an Active Directory server to authenticate users or receive Group Policy Object (GPO) configuration directives.
Typically, network traffic is authenticated based on the existing standards set by Microsoft practices. Access to shares, files, and directories is authenticated by using Active Directory credentials. However, there is a great deal of control over how CIFS users are authenticated. This is described in detail in a variety of documents on VNX for file management. In particular, the following documents provide useful information:
- Configuring and Managing CIFS on VNX
- Managing a Multiprotocol Environment on VNX
These documents are particularly useful if files and directories are going to be made simultaneously available to both CIFS and NFS users.
Besides the standard, Kerberos-based, Active Directory authentication approach for CIFS in Windows 2000 and 2003 environments, VNX for file also supports NTLMv2 for Windows NT environments and UNIX and share-level passwords. The latter two methods are not recommended; they exist to support very specialized environments. The documentation about configuring CIFS outlines their use.
A recommended method to segregate several CIFS environments within the same physical Data Mover is to use Virtual Data Movers (VDMs). A VDM is a VNX for file software feature that enables administrators to group file systems and NFS and CIFS servers into virtual containers. Each VDM can support many CIFS/NFS points of presence. A single VDM contains DNS, LDAP, and/or NIS user domain. If your environment calls for multiple and isolated AD domains, a separate VDMs for each domain should be used. Configuring Virtual Data Movers on VNX provides details about VDM concepts and management techniques.
Management of the VNX for file CIFS services requires a two-pronged approach. The initial provisioning to create volumes, file systems, and shares is performed from the VNX for file Control Station (by using either the command line interface or the Unisphere software graphical user interface). However, you must use Windows management tools to set the security attributes of shares. This is consistent with most customers' request to integrate into the traditional Windows workflow or management infrastructure.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\