Program your firewall and routers to block NFS and SMB packets.

Use NFS Version 3, if available, in TCP mode.

Use the netgroups mechanism to restrict the export of (and thus the ability to remotely mount) filesystems to a small set of local machines.

Mount partitions NOSUID unless SUID access is absolutely necessary.

Mount partitions NODEV, if available.

Set root ownership on files and directories exported remotely.

Never export a mounted partition on your system to an untrusted machine if the partition has any world- or group-writable directories.

Set the kernel portmon variable to ignore NFS requests from unprivileged ports.

Export filesystems to a small set of hosts using the access= or ro= options. Export read-only when possible.

Do not export user home directories in a writable mode.

Do not export server executables.

Do not export filesystems to yourself!

Do not use the root= option when exporting filesystems unless absolutely necessary.

Use fsirand on all partitions that are exported. Rerun the program periodically.

When possible, use the secure option for NFS mounts.

Monitor who is mounting your NFS partitions (but realize that you may not have a complete picture because of the stateless nature of NFS).

Restrict login access to the NFS or Samba server.

Use “user” or “domain” security with Samba. Enable encrypted passwords.

Require SMB clients to use a recent version of the protocol using the min protocol directive on the Samba server.

Don’t use the admin user ...