Limiting Domain Admins... | NetApp | Page 1

opal pollen Jul 25, 2023, 4:25 PM

#

Haven’t thought about the C$ share since the days of 7-Mode, but I’ve been doing some housekeeping and perhaps discovered or relearned that volumes mounted into the namespace are accessible by Domain Admins through this share. What would be the best approach for denying Domain Admins access to volumes such as vmware datastores with unix security, mounted over NFS, and Oracle databases configured the same?

sudden anvil Jul 25, 2023, 5:20 PM

#

I think these shares are needed if you manage the filer through MMC? And best practice has always been to not use Share Security but instead put the proper ACLs on the files/directories beneath the shares. So I wouldn't bother with those C$ shares.

#

also, you probably shouldn't mix NFS for VMware datastores and CIFS for regular users in the same SVM 🙂

#

I mean you can totally just delete the C$ shares like any other share, but this might impact various Windows workflows (seeing open files on the shares through MMC, creating users' homedirs through the GUI, things like that)

opal pollen Jul 25, 2023, 5:55 PM

#

You said a mouthful with "also, you probably shouldn't mix NFS for VMware datastores and CIFS for regular users in the same SVM." So, an SVM for Active Directory/SMB clients, an SVM for VMWare datastores, one for Oracle databases, and another for iSCSI SQL databases, etc?

rare lily Jul 25, 2023, 6:09 PM

#

Absolutely! My minimum svm separation is on protocol.

sudden anvil Jul 25, 2023, 9:25 PM

#

indeed. NFS/CIFS can coexist on the same SVM, but you should only do that for user data like home shares and NFS shares, things that users access directly (through their Win/Linux/Mac clients), not shared with VMware datastores, Hyper-V shares, Oracle DBs on NFS etc.

opal pollen Jul 26, 2023, 12:14 AM

#

Thanks Martijn and Darkstar!

vestal brook Jul 26, 2023, 12:35 AM

#

+1 on SVM per protocol

wintry pine Jul 26, 2023, 12:28 PM

#

I think it should be mentioned that the domain admins are added to the Administrators group of your CIFS config (for MMCs usage etc.). So not only can they access all shares, but also administrate shares and permissions on all shares. Our company best practise is to remove that access as well.
cifs users-and-groups local-group remove-members -group-name "BUILTIN\Administrators" -member-names "Contoso\Domain Admins" -vserver SVM-NAME

velvet sinew Jul 27, 2023, 8:13 AM

#

Domain Admins can always add themselves to any group that administers the filer, so it's only a very minimal threshold you're adding, but I also remove the default

#Limiting Domain Admins...