What is the explanation of the cifs.restrict_anonymous option and its effects on null user access?
Applies to
Data ONTAP
Answer
The NetApp Support Center receives calls frequently regarding security vulnerability scans that show a vulnerability regarding null user sessions. In particular, this vulnerability shows that a null user was successfully able to connect to the IPC$ share on the filer.
This KB will serve as an explanation for what options you can alter to change null user access and include screen shots on the various results based on specific Data ONTAP option settings.
Before making any changes in your environment, ensure you thoroughly test the impact of the changes on not just the filer but external applications that rely on the filer.
Data ONTAP, in an effort to be more like a Windows server when it comes to null user session access, implemented the restrict_anonymous options mentioned above. Depending on the version of Data ONTAP that you are running on your filer, different options / settings are available to you. This article will go over the various options to control null user access to the filer via Common Internet File System protocol (CIFS).
- Data ONTAP versions prior to 7.2.5.1
The option available to you has only two settings:
Filer>options cifs.restrict_anonymous.enable < on | off >
When the option is set to off
, a null user connection to the filer is allowed and the enumeration of shares presented on your filer will succeed. Turning the option to on
will allow a null user to map to the filer but will deny the enumeration of shares.
Below are several screen shots that will go over what you should see based on each option setting:
- Setting
cifs.restrict_anonymous.enable
tooff
2. Setting cifs.restrict_anonymous.enable
to on
When set to off,
it does not restrict any null user access. Both the map via net use and net view works without denying access.
When set to on
, it defaults to the Windows restrictanonymous setting of 1 (Do not allow enumeration.....). This will allow the null user to connect via net use but will deny the enumeration of shares via net view. Both of the results are the expected responses, however there is no outright deny to null user access. Later versions of ONTAP, as will be explained below, closer match the behavior / settings available in a Windows server environment.
- Data ONTAP 7.2.5.1 and later
Starting in 7.2.5.1 and later ONTAP introduced the ability to set restrict anonymous settings to mimic that of a Windows environment. When attempting to restrict the abilities of the anonymous user, you can set a new option on the filer to three different settings depending on your needs. The option and settings are:
Filer> options cifs.restrict_anonymous <0|1|2>
Possible values for this option are:
0 - No special restrictions
1 - Enumeration is restricted
2 - Access is fully restricted
The older option cifs.restrict_anonymous.enable
is still present but has been deprecated and should not be used. If you attempt to use the deprecated option it will affect the setting of cifs.restrict_anonymous.
For more information, see KB: What is the difference between the deprecated options command "cifs.restrict_anonymous.enable" and "cifs.restrict_anonymous"?
The difference between the deprecated options command cifs.restrict_anonymous.enable
and cifs.restrict_anonymous
to see what can happen when you toggle the deprecated option on 7.2.5.1 and later.
Below are several screen shots that will go over what you should see based on each option setting:
1. Setting cifs.restrict_anonymous
to 0
:
2. Setting cifs.restrict_anonymous
to 1
:
3. Setting cifs.restrict_anonymous
to 2
:
Additional Information
Related links:
System Administration Guide and the File Access and Protocols Management Guide for your respective version of Data ONTAP.
TR-3649: Best Practices for Secure Configuration of Data ONTAP 7G