Securely Networking a File Server

Discussion in 'Hardware' started by mgookin, Sep 26, 2012.

  1. Hello smart people:

    I'd like to put a file server on my network but there's no need for it to ever connect to the internet or do anything other than be accessible to people on the internal, hard wired network. I want it as secure from outside intrusion as possible.

    Should I go into Services and disable everything, or use the firewall to block all ports, or both, or something else?

    Thanks in advance.
  2. mcassman


    Your server, while on the inside network, is still vulnerable to the perils of your users.

    Users have a tendency to unwittingly click on advertisements and open email attachments from anyone if it says "funny" on the subject line.

    You will want to install an A/V program written to be run on file servers like Symantec Endpoint Protection - Corporate Edition. This same program should be on all of your workstations and monitored daily for a/v activity.

    You will want a properly grounded UPS. Some type of removable/offline media for backups and even offsite, encrypted, backups for the mission-critical files. It should be physically secured... you don't want the cleaning-help to pull the raid drives out and walk away.

    There is so much more. Can anyone else help us out here ?

    Mike C.
    Chicago Traders Group
  3. OS?

    Is this a NAS/SAN or is it a real file server? If this is a Windows environment (which I assume it is) are you on a Domain or Workgroup?

    This is a lot of what I do for a living; giving access to only the people that you want and keeping the riff-raff out. Keeping everyone out isn't that hard, granting secure access without back-doors and loopholes can be a bit of a challenge.
  4. I have not dedicated any hardware to being the file server so I can't answer the first question. Our network consists of a cable modem going into a 24 port Cisco switch. Everything hard wired; no wireless anything (not even a printer).

    Looks like from the responses it's unreasonable to expect complete security so that will just determine what does and does not go on it. I'll just connect any old box, put a fresh RAID array in it (or maybe multiple arrays) and give network access to those who need access. I'll probably still go into services and the firewall and nuke everything that does not nuke the ability to access the drives from the internal network.

    As always, thanks very much for the responses.
  5. Secure (lock door) physical space
    Closet etc
    keep it cool -
    back it up every day
  6. oraclewizard77

    oraclewizard77 Moderator

    I would suggest using a Novell or Unix file server. The best way to prevent infection is with a non Microsoft operating system. So if your Windows computer gets infected, it will not bring down the file server.

    That said, you want to have your whole network behind a firewall, and have anti-virus running on all your Window's computers.

    As previous stated, you should have RAID IV on the file server plus a tape backup system.

    There is no point on running anti-virus on your file server if you don't run the Microsoft operating system. You don't want to slow down the file server. The file server should also have a 1 GB network card connected to a 1 GB port on the network switch.

    You also want to have a UPS connected to the server.

  7. No router/firewall between the modem and switch?

    Security should always start with securing the perimeter first, then securing the clients within the network.

    As for the file server, what some are suggesting is a tad overkill. Use the OS your most comfortable working with, else you'll have to hire a tech to administer it for you. You could use a *nix OS to get around Microsoft's tendency to be most vulnerable, but if the *nix OS is not maintained or updated it can be just as vulnerable.

    Blocking access to the net for the file server can be done in many ways... simple way of doing it would be configuring your firewall to block access (most 'above'-consumer level firewalls can do this.) Notice I said firewall again? If you don't have one between your modem and network you NEED to get one before anything else is done.

    All that aside, if you're a small office with just a hand full of people... to save on administrative, hardware, and time costs... why not just look into application specific devices? Like a network attached storage device (NAS) by one of the many decent tier 1 vendors?

    Much less time spent keeping the file server in order, fewer security concerns, often an embedded *nix based OS included with a user friendly interface that most people can use... etc... you'll still have to come up with a way to back it up, can't ignore that, but the kinda power a full on file server is often overkill for what an office of 3-10 people need.
  8. rerun


  9. I 100% agree with all of this. ESPECIALLY WITH:

    It should be:

    Modem/ISP uplink box >>> FIREWALL >>> Switch >>> Clients (computers & "stuff")
  10. I read many of the comments at and I have to admit it's a turn off. Seems like the company is a pig on that product. Reminds me of Apple - never again.

    Do you have one of these? Do you have to pay subscription fees to use it?

    What do they mean 10 users? I was going to connect it to my 24 port switch - can't do that?
    #10     Sep 30, 2012