APP.3.3 File Servers
A file server is a server in a network that centrally provides files from (internal) hard drives or network drives for all persons and clients with access authorization. The data can be used by those with access rights without, for example, transporting it on removable media or distributing it by email...
Description
Introduction
A file server is a server in a network that centrally provides files from (internal) hard drives or network drives for all persons and clients with access authorization. The data can be used by those with access rights without, for example, transporting it on removable media or distributing it by email. By storing the data centrally, it can be structured and provided in various directories and files. For file servers, access rights to files can be assigned centrally. Data backup can also be simplified when all information is located in a central place.
A file server typically manages mass storage connected to it via interfaces such as SCSI (Small Computer System Interface) or SAS (Serial Attached SCSI). The storage is either located directly in the file server’s housing or is externally connected, often referred to as Directly Attached Storage (DAS). A file server can be operated on conventional server hardware or a dedicated appliance. For large volumes of data, central Storage Area Network (SAN) storage can often be connected via Host Bus Adapters (HBA) in the server and to SAN switches.
Objective
This building block describes the key threats specific to a file server and the requirements derived from them for secure deployment.
Scope and Modeling
The building block APP.3.3 File Server is to be applied once to each file server in the information domain.
The present building block contains fundamental requirements that must be observed and met when using file servers. General and operating system-specific aspects of a server are not the subject of this building block but are addressed in the building block SYS.1.1 General Server and in the corresponding operating system-specific building blocks in the SYS IT Systems layer, e.g., in SYS.1.3 Servers Running Linux and Unix or SYS.1.2.3 Windows Server. No requirements for network-based storage systems or storage networks are described. These are found in the building block SYS.1.8 Storage Solutions. Also not addressed are dedicated services with which a file server can be operated, such as Samba. The Samba service is addressed in the building block APP.3.4 Samba.
An important focus when securing a file server is assigning access rights to files only restrictively. More extensive requirements for this are found in the building block ORP.4 Identity and Authorization Management. The backup of information stored on a file server is also not addressed in this building block. The requirements of the building block CON.3 Data Backup Concept must be met for this.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used as the basis for describing the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block APP.3.3 File Server.
Failure of a File Server
If a file server fails, the entire information domain can be affected, and thus also important business processes and specialized tasks of the institution. Not only users but also applications may depend on data from the file server in order to function properly. If the availability of data and services is not ensured, deadlines may be missed or essential business processes may be interrupted, for example. If there is also no emergency management concept in place, recovery times can increase further. In many cases this leads to financial losses. Furthermore, the failure can affect other institutions.
Insufficient Sizing of the File Server
If the line connection or the storage capacity of the file server is insufficient, access times can increase or storage bottlenecks can occur. This can, for example, frustrate employees due to longer waiting times, causing them to start storing data locally. This means it is no longer possible to trace where data is stored and who holds the data. Applications that depend on correct (intermediate) storage of information can also no longer function reliably.
Insufficient Checking of Stored Files
If a file server is insufficiently included in the institution’s malware protection concept, it is possible that malware is stored on the file server undetected. All IT systems and applications that access the data on the file server can become infected with the malware, causing it to spread very quickly throughout the entire institution.
Missing or Insufficient Access Authorization Concept
If access authorizations and shares are not properly designed and assigned, third parties may gain unauthorized access to data. This allows unauthorized persons to modify, delete, or copy data.
Unstructured Data Management
If the storage structure is not specified or if employees do not adhere to it, data can be stored on the file server in a confusing and uncoordinated manner. This leads to various problems, such as storage space wastage due to the same file being stored multiple times. Different versions of a file can also be stored. Furthermore, unauthorized access is possible if, for example, files are located in directories or file systems that are accessible to third parties.
Loss of Data Stored on File Servers
If a file server completely fails or individual components are defective, important information can be lost without file synchronization or a functioning backup. The same applies when employees inadvertently delete files. If there is also no sufficient redundancy, such as through an appropriate Redundant Array of Independent Disks (RAID), further problems can follow. For example, the failure of a single data medium directly affects ongoing operations, as the files are no longer available.
Ransomware
A special form of malware is ransomware, which encrypts data on infected IT systems. Attackers subsequently demand the payment of a ransom so that the victim can decrypt the data again. However, even after paying a ransom, there is no guarantee that the data can be restored.
Not only the local data of the infected IT system is encrypted. Many forms of ransomware search for network drives with write access, on which all data is also encrypted.
This means that all encrypted information since the last backup can be lost, even if a ransom has been paid. Not only the originally infected IT system would be affected, but also centrally stored information that many IT systems are permitted to access.
Requirements
The following are the specific requirements of the building block APP.3.3 File Server. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These SHOULD be filled insofar as this is meaningful and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | Users |
Exactly one role SHOULD be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many people SHOULD fill these roles.
Basic Requirements
The following requirements MUST be fulfilled as a priority for this building block.
APP.3.3.A1 DISCONTINUED (B)
This requirement has been discontinued.
APP.3.3.A2 Use of RAID Systems (B)
IT Operations MUST determine whether a RAID system is to be used in the file server. A decision against such a system MUST be documented in a comprehensible manner. If a RAID system is to be used, IT Operations MUST decide:
- which RAID level is to be used,
- how long the time period for a RAID rebuild process may be, and
- whether a software or hardware RAID is to be used.
Hot spare hard drives SHOULD be kept available in a RAID.
APP.3.3.A3 Use of Anti-Virus Software (B)
All data MUST be checked for malware by an anti-virus program before being stored on the file server.
APP.3.3.A4 DISCONTINUED (B)
This requirement has been discontinued.
APP.3.3.A5 DISCONTINUED (B)
This requirement has been discontinued.
APP.3.3.A15 Planning of File Servers (B)
Before an institution introduces one or more file servers, it SHOULD decide what the file servers are to be used for and what information is to be processed on them. The institution SHOULD plan each function of a file server used, including its security aspects. Workstation computers MUST NOT be used as file servers.
The storage capacity of the file server MUST be adequately sized. Sufficient storage reserves SHOULD also be maintained. Only mass storage designed for continuous operation SHOULD be used. The speed and connection of the mass storage MUST be appropriate for the intended purpose.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be met.
APP.3.3.A6 Procurement of a File Server and Selection of a Service (S)
The file server software SHOULD be selected appropriately. The file server service SHOULD support the intended use of the file server, e.g., integration of network drives into clients, streaming of multimedia content, transmission of boot images for diskless IT systems, or file transfer exclusively via FTP. The performance, storage capacity, bandwidth, and number of users using the file server SHOULD be taken into account when procuring the file server.
APP.3.3.A7 Selection of a File System (S)
IT Operations SHOULD create a requirements list against which the file systems of the file server are evaluated. The file system SHOULD meet the institution’s requirements. The file system SHOULD offer a journaling function. It SHOULD also have a protection mechanism that prevents multiple users or applications from writing to a file simultaneously.
APP.3.3.A8 Structured Data Management (S) [Users]
A structure SHOULD be established according to which data is to be stored. Users SHOULD be regularly informed about the required structured data management. Files SHOULD only be stored in a structured manner on the file server. It SHOULD be defined in writing which data may be stored locally and which on the file server. Program data and working data SHOULD be stored in separate directories. The institution SHOULD regularly check whether the requirements for structured data management are being met.
APP.3.3.A9 Secure Storage Management (S)
IT Operations SHOULD regularly check whether the mass storage of the file server is still functioning as intended. Suitable spare storage SHOULD be kept available.
If a storage hierarchy (primary, secondary, or tertiary storage) has been set up, (partially) automated storage management SHOULD be used. If data is distributed automatically, it SHOULD be regularly checked manually to ensure this is functioning correctly.
At a minimum, unauthorized access attempts to files and changes to access rights SHOULD be logged.
APP.3.3.A10 DISCONTINUED (S)
This requirement has been discontinued.
APP.3.3.A11 Use of Storage Quotas (S)
If there are multiple users on the file server, IT Operations SHOULD consider setting up restrictions on storage space for individual users (quotas). Alternatively, mechanisms of the file or operating system used SHOULD be utilized to warn users when a certain fill level of the hard drive is reached, or in this case to grant write access only to IT Operations.
APP.3.3.A14 Use of Error-Correcting Codes (S)
IT Operations SHOULD use an error-detecting or error-correcting file system. Sufficient storage space SHOULD be kept available for this. IT Operations SHOULD note that, depending on the method used, errors can only be detected with a certain probability and can only be corrected within a limited scope.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. These proposals SHOULD be considered when there is a high protection need. The specific determination takes place in the context of an individual risk analysis.
APP.3.3.A12 Encryption of Data Holdings (H)
The mass storage of the file server SHOULD be encrypted at the file system or hardware level. If hardware encryption is used, products SHOULD be used whose encryption function has been certified. It SHOULD be ensured that the anti-virus software can check the encrypted data for malware.
APP.3.3.A13 Replication Between Sites (H)
For highly available file servers, appropriate replication of the data on multiple mass storage devices SHOULD take place. Data SHOULD also be replicated between independent file servers located at independent sites. For this, IT Operations SHOULD select a suitable replication mechanism. To ensure that replication can function as intended, sufficiently accurate time services SHOULD be used and operated.
Additional Information
Good to Know
No further information is available for the building block APP.3.3 File Server.