 |  |
17.4. File Sharing for Microsoft Networks
A number of protocols are involved in file sharing on Microsoft networks, and you will hear a significant number of names thrown around. The most recent and most standard is the Common Internet File System (CIFS), which is based on Server Message Block (SMB). Officially, CIFS is an SMB-based standard that extends icrosoft's current practice for using SMB; in practical terms, it's simply a new name for SMB. You will also see people refer to file sharing for Microsoft networks as SMB or SMB file sharing. Despite the word "file" in the name, CIFS, like SMB, provides a wide variety of features, not limited to file sharing. These are discussed further in Chapter 14, "Intermediary Protocols".You'll also see people using terms like "NetBEUI", "NetBIOS", "NetBT", or "LanManager" as if they were file sharing protocols. NetBEUI is a networking protocol used on local area networks; it operates at the same level that IP does. NetBIOS is a higher-level networking protocol originally run on top of NetBEUI. NetBT is a TCP/IP implementation of NetBIOS; a program that uses NetBIOS can use either normal NetBIOS over NetBEUI or NetBT over TCP/IP, without needing to know what's going on. LanManager is an older Microsoft protocol suite, still supported by SMB file sharing and CIFS in compatibility modes. All of these protocols tend to come together; normally, if you run SMB, you also run NetBIOS (in which case you must run either NetBEUI or NetBT), and if you run NetBIOS, you also run SMB, which is why there is so much confusion about which does what. These days, the association is getting looser (in particularly, running CIFS directly over TCP/IP is supported in Windows 2000). Figure 17-3 shows the protocol stack normally involved in running CIFS over TCP/IP.
Figure 17-3. The CIFS protocol stack
CIFS file sharing is usually used with other members of a large protocol family and frequently is capable of using multiple different methods of achieving a given end. See Chapter 20, "Naming and Directory Services", for information about WINS and NetBT Name Service, which are often used with CIFS. Chapter 21, "Authentication and Auditing Services", discusses the user authentication protocols used with CIFS.It is almost impossible to separate file sharing from the other services supported by SMB. CIFS is not actually a new protocol but simply a new name for a way of using SMB. As such, it provides all the capabilities of SMB, including a number of capabilities that are not normally thought of as part of a filesystem, including messaging, print service, and multiple methods of doing general-purpose transaction processing. This makes it much more risky than dedicated file sharing protocols.
It is worth noting that although the extra features in CIFS make it more risky than NFS, it does at least usually provide better authentication. CIFS filesystem transactions require the user to authenticate, instead of relying on the client host to provide user identification, the way most NFS servers do. CIFS can also provide message authentication to protect from hijacking. It does not provide data encryption, however.
17.4.1. Samba
The most popular program that provides SMB services on Unix machines is Samba, which is best known for its support of file services. It is an open source program, implemented without Microsoft's cooperation. Because Microsoft does not release details of all of their protocols, Samba is the source of the most detailed information about how SMB and related services actually work, as well as being one of the major tools used for Unix-NT integration. Historically, Microsoft relied upon their control of SMB clients for some of their security, and SMB servers were highly vulnerable to badly behaved clients (whether these were actively hostile or merely buggy). This led to icrosoft's denouncing Samba, the first widely available client that Microsoft did not control, as a "hacking tool" because it revealed weaknesses that had not previously been important. In fact, this is neither the purpose that Samba was designed for nor its most common use (although it is true that some people have modified Samba source code to use it to attack systems). However, it is nice to note that since Samba became widespread, icrosoft has significantly improved the security of its SMB servers.The base of Samba is a file server; in order to effectively provide file service from a Unix machine without a Microsoft support structure, it also includes a WINS server and a browser server and is capable of acting as a domain controller to do user authentication. SMB clients are available for Linux and some Unix operating systems, and although they are not actually part of Samba, they are often distributed with Samba.
Samba itself is both more robust and more secure than most SMB file servers. Admittedly, much of its security derives from the fact that it doesn't offer all of the services you would get from an equivalent server on a Microsoft operating system (for instance, there's no need to worry about people using a Samba server to remotely access the Performance Monitor or the User Manager). Most security problems with Samba are caused by the fact that it bridges the Unix and Microsoft world and is often managed by people who are naive about one of the two. Samba provides authentication and file service and can give away all of your authentication information and files if you configure it incorrectly, just like any other program that provides these services. If you configure it poorly, you will not be protected just because it uses Microsoft protocols that are supposed to have well-behaved clients, and you should not blame unfortunate results on either Samba or Microsoft.
17.4.2. Distributed File System (Dfs)
Microsoft provides a system called the Distributed File System (Dfs[76]) that provides clients with a unified interface to multiple file servers. A Dfs server exports something that appears to be a standard directory structure, but which may contain files from many file servers. Dfs also allows you to have multiple servers with replicas of a file, and have clients balanced between the servers and rerouted if a server fails.[76]Microsoft appears to prefer the capitalization "Dfs" instead of the more traditional "DFS".Dfs has been available for some time but is first becoming a standard part of installations in Windows 2000. Dfs is not actually a separate file sharing protocol. Instead, it uses standard file sharing protocols for actual file access (usually, this means CIFS, but a client can use any file sharing protocol it has available). Dfs clients use RPC to get information from a Dfs server about where to look for actual files.
17.4.3. Packet Filtering, Proxying, and Network Address Translation Characteristics of Microsoft File Sharing
icrosoft file sharing is based on CIFS, and the packet filtering, proxying, and network address translation characteristics of CIFS are discussed in Chapter 14, "Intermediary Protocols". Dfs is based on CIFS and on RPC (RPC is also discussed in Chapter 14, "Intermediary Protocols"). Depending on your network and your needs, a full file sharing environment may also require any or all of WINS, the Browser, and domain authentication. WINS and the Browser are discussed in Chapter 20, "Naming and Directory Services", while domain authentication is discussed in Chapter 21, "Authentication and Auditing Services".
|  | |
| 17.3. Network File System |  | 17.5. Summary of Recommendations for File Sharing |
