Skip to main content

Cornell University

IT@Cornell

Access Basics

This article applies to: Shared File Services

  • Access to SFS shares will be restricted to on-campus IP addresses (including VPN).
  • SMB (also known as CIFS) shares are authenticated using the Cornell Active Directory (AD) domain and can be presented through Cornell AD’s DFS namespace.
    • CIFS volumes have an inherited, recursive ACL for the Cornell AD group you specify for “administrative” purposes as “(OI)(CI)F”.
    • End-users should be in different (non-administrative) Cornell AD groups.
    • End-users should never be granted “Full Control”.  
    • The “everyone” group is removed.
    • SFS administrators have no ACLs on your volume.
    • All SMB events (read, create, rename, etc.) are audited on SMB shares.
  • NFS shares can be restricted to a list of explicit servers, as defined by the customer when submitting a request (or change) for an NFS share.
  • HIPAA and high-risk (L1/confidential) shares utilize encryption for data-in-flight. Data is not encrypted at-rest on SFS.

Comments?

To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.