CERN Computer Security Information

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" href="/style.css" type="text/css" /> <script type="text/javascript" src="/jquery.min.js"></script> <title>CERN Computer Security Information</title> <script type="text/javascript"> $(document).ready(function(){ // Menu highlight var path = location.pathname.split("/"); if ( path ) { $('#main_menu a[href*="' + path[1] + '"][class!="noselect"]').addClass('selected'); // path[3] = /security/<xxxxx>/ $('#sidebar ul.sidemenu li[class!="noselect"]:has(a[href$="' + path.reverse()[0] + '"])').addClass('selected'); } // Add icon to external links $('a[id!=logo-img]').filter(function() { return this.hostname && this.hostname !== location.hostname; }).after(' <img src="/images/external_link.png" alt="external link" title="external link"/>'); }); </script> </head> <body> <div id="wrap"> <div id="top-bg"></div>  <div id="header"> <div id="logo-text"> <a id="logo-img" href="https://home.cern/"><img src="/images/CERNLogo2.png" width="59" height="59" style="margin: 10px" alt="CERN Logo"/></a><div id="logo-text-big"><a href="/home/en/index.shtml" title="">CERN Computer Security</a></div> </div> <div id="header-logo"><a href="/services/en/emergency.shtml"><img width=335 src="/images/emergency.png" alt="Computer Emergencies"/></a></div> </div>  <div id="header-photo"></div>  <div id="nav"> <ul id="main_menu"> <li><a class="noselect" href="/home/fr/index.shtml"><img src="/images/fr.png" alt="FR"/></a></li> <li><a href="/home/en/index.shtml">Home</a></li> <li><a href="/rules/en/index.shtml">Computing Rules</a></li> <li><a href="/recommendations/en/index.shtml">Recommendations</a></li> <li><a href="/training/en/index.shtml">Training</a></li> <li><a href="/services/en/index.shtml">Services</a></li> <li><a class="secured" href="/reports/en/index.shtml">Reports & Presentations</a></li> </ul> </div>   <div id="content-wrap"> <div id="main"> <a name="File Protections on DFS"></a><h2>File Protections on DFS</h2> <em class="titledate"><a href="https://indico.cern.ch/conferenceDisplay.py?confId=121512">2011/06/27 by ITSRM</a></em> <p>These subsidiary rules to <a href="http://cern.ch/security/rules/en/OC5_english.pdf">Operational Circular N°5</a> are for users of the DFS file system.</p> <p>At CERN, <b>owners of any kind of data (e.g. files, documents, Web pages), including users of file services, must protect their data from anonymous read and/or write access</b> (see <a href="#l1">below</a> for a definition of "anonymous").</p> <h4>DFS Data Protection Policy</h4> <p>In order to protect DFS data, the following access controls (ACLs) must be applied to all user folders hosted on DFS. Here, "<tt>HOME</tt>" is the path to the home folder of a particular user or his workspace (i.e. "<tt>\\cern.ch\dfs\User\NAME</tt>" or "<tt>\\cern.ch\dfs\Workspaces\NAME</tt>").</p> <ol> <li>For all anonymous users, the default ACLs of the folder "<tt>\\cern.ch\dfs\HOME</tt>" must not be more permissive than "<tt>List</tt>"/"<tt>Traverse</tt>" rights;</li> <li>For all anonymous users, the default ACLs of "<tt>\\cern.ch\dfs\HOME\Public</tt>" and all its sub-folders must not be more permissive than either combined "<tt>List</tt>"/"<tt>Read</tt>"/"<tt>Traverse</tt>" or "<tt>Create</tt>"/"<tt>List</tt>"/"<tt>Traverse</tt>"/"<tt>Write</tt>" rights;</li> <li>For all anonymous users, the default ACLs of any other folder (e.g. "Contacts", "Desktop", "Favorites", "Links", "My Documents", ...) must not assign any rights;</li> <li>For all anonymous users, the default ACLs of any folder must not allow for simultaneous "<tt>Write</tt>" and "<tt>Read</tt>" rights.</li> </ol> <p>From these rules follows that all information supposed to be widely public must be stored in the "<tt>\\cern.ch\dfs\HOME\Public</tt>" folder.</p>  <p>However, the data owner (i.e. the user) is still ultimately responsible for the proper ACLs of his folders and files. The DFS service is supposed to assist with this, but holds no responsibility.</p> <h4><a name="l1"></a>Definition of "anonymous"</h4> <p>Access to a file or folder is defined to be "anonymous" when the group of people permitted such access can be potentially very large. For DFS, permissions for one or more of the following access control groups are considered to be "anonymous users":</p> <code> Everyone<br> Authenticated Users Users<br> [DeviceName]\Users<br> CERN\Domain Admins<br> NT Authority\*<br> ANONYMOUS LOGON<br> CREATOR OWNER<br> SYSTEM<br> S-15* (retired SIDs) </code> <p>However, the user [DeviceName]\Adminitrators should always be granted full access to the data in order to perform proper back-ups.</p> <h4>More Information</h4> <p>The IT/OIS Sharepoint site provides detailed descriptions of <a href=" https://espace.cern.ch/winservices-help/NICESecurityAndAntivirus/NICESecurityHowTo/Pages/ManagingACLSettingPermssion.aspx">DFS ALCs</a> and on <a href="https://espace.cern.ch/winservices-help/NICESecurityAndAntivirus/NICESecurityHowTo/Pages/Permisson-BestPractice.aspx">best practices to manage permissions</a>. </div>    <div id="sidebar"> <h3>CERN Computing Rules</h3> <ul class="sidemenu"> <li><a href="/rules/en/OC5_english.pdf">Operational Circular Nº5</a></li> <li><a href="/rules/en/oc5_aims.shtml">Aims of OC5</a></li> <li><a href="/rules/en/CERN_Cybersecurity_Policy_v1.2.pdf">Cybersecurity Policy</a></li> <li><a href="/rules/en/CERN_CSO_Mandate_v1.1.pdf">Mandate of the CSO</a></li> <li><a href="/home/en/CERN/liaisons.shtml">Departmental & Experiment Liaisons</a></li> <li><a href="/rules/en/csb.shtml">Computer Security Board</a></li> </ul> <h3>OC5 Subsidiary Rules</h3> <ul class="sidemenu"> <li><a href="/rules/en/ept.shtml">Endpoints</a></li> <li><a href="/rules/en/iaa.shtml">Identities, Authentication & Authorization</a></li> <li><a href="/rules/en/ops.shtml">IT Service Operations</a></li> <li><a href="/rules/en/net.shtml">Networking</a></li> <li><a href="/rules/en/dev.shtml">Software Development & Configuration</a></li> <li><a href="/rules/en/swr.shtml">Software Restrictions</a></li>  <li><a href="/rules/en/data_access_by_thirds.shtml">Third party access to users' accounts and data </a></li>  <li><a href="/rules/en/webcams.shtml">Using webcams</a></li> </ul> <h3>Security Principles</h3> <ul class="sidemenu"> <li><a href="/rules/en/containers.shtml">...for Containers</a></li> <li><a href="/rules/en/software-development.shtml">...for Software Developments</a></li> <li><a href="/rules/en/web-applications.shtml">...for Web-Applications</a></li> <li><a href="/rules/en/baselines.shtml">Security Baselines</a> (deprecated)</li> </ul> <h3>Other Useful Information</h3> <ul class="sidemenu"> <li><a href="/rules/en/glossary.shtml">Glossary</a></li> <li><a href="https://cern.service-now.com/service-portal?id=functional_element&name=it-cloud-licence">CERN Cloud License Office</a></li> <li><a href="https://data-governance.docs.cern.ch/">CERN Data Governance</a></li> <li><a href="https://odpp.web.cern.ch/">CERN Office of Data Privacy Protection</a></li> <li><a href="https://cern.service-now.com/service-portal?id=functional_element&name=it-Licence-Office">CERN Software License Office</a></li> </ul> </div>   </div>  <div id="footer-wrap"> <div id="footer-bottom"> © Copyright 2025<strong> <a href="https://cern.ch/security">CERN Computer Security Office</a></strong> <table> <tr> <td id="footer-info-left"> e-mail: <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a><br/> Please use the following PGP key to encrypt your messages:<br/> ID: 0x954CE234B4C6ED84<br/> <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/429D60460EBE8006B04CDF02954CE234B4C6ED84">429D 6046 0EBE 8006 B04C DF02 954C E234 B4C6 ED84</a> </td> <td id="footer-info-right"> Phone: +41 22 767 0500<br/> Please listen to the recorded instructions. </td> </tr> </table> </div> </div>  </div>   </body> </html>

CINXE.COM

CERN Computer Security Information