• Linux
  • Samba
  • Security

Running Samba in a security hardened environment

Comparing apples and oranges

… or Samba vs Windows, if you want.

Here is a nice table of the most commonly implemented security policies that you can find in an AD DS environment where the suggestions from the Microsoft Compliance Toolkit were applied.

The last column compares the security default of Windows Server 2022 vs Samba 4.21. As you can see, there is no clear winner in this race; Samba tracks Windows very close also in the security department!

Truth be said, most of the AD DS environments dating back from the early 2000s that never made any conscious security effort (meaning they were just upgraded at every version of Windows), are far less secure than a recent default Samba install!
It’s very common to see AD DS production environments living into 2025 with NTLM v1 or RC4 Kerberos session keys.

Windows GPO SettingsWindows GPO Default ValueWindows GPO Hardened ValueSamba SettingsSamba Default ValueSamba Hardened ValueNotesWinner
Restrict Unauthenticated RPC clientsNoneAuthenticatedallow dcerpc auth level connect (G)noyesDraw
Configure SMB v1 ServerFeature not installedNo effectserver min protocol (G)SMB2_02SMB2_10By default SMB2 selects the SMB2_10 variant.Draw
NetBT NodeType configurationB-NodeP-Nodename resolve order (G)lmhosts wins host bcastlmhosts wins host bcastSamba already prefers DNS (host) methodSamba
Network access: Restrict anonymous access to Named Pipes and SharesEnabledEnabledrestrict anonymous (G)restrict anonymous = 0restrict anonymous = 2Windows
Enable insecure guest logonEnabledDisabledguest ok (S)guest ok = noguest ok = noSamba already restricts guests for shares by defaultSamba
Domain member: Digitally encrypt or sign secure channel data (always)EnabledEnabledclient schannel (G)client schannel = yesclient schannel = yesDraw
Domain member: Require strong (Windows 2000 or later) session keyEnabledEnabledrequire strong key (G)yesyesDraw
Microsoft network client: Digitally sign communications (always)DisabledEnabledclient signing (G)default (desired)requiredDraw
Microsoft network client: Digitally sign communications (always)DisabledEnabledclient ipc signing (G)default (required)requiredPossibly Samba; not clear winner as some endpoints could be hard-coded.
Microsoft network server: Digitally sign communications (always)DC= Required; member=disabledDC= Required; member=disabledserver signing (G)default (DC=required; member=disabled)mandatoryDraw
Network access: Allow anonymous SID/name translationDisabledDisabledrestrict anonymous = 0restrict anonymous = 2Possibly Windows
Network access: Do not allow anonymous enumeration of SAM accountsDisabledEnabledrestrict anonymous = 0restrict anonymous = 2Windows
Network access: Do not allow anonymous enumeration of SAM accounts and sharesEnabledEnabledrestrict anonymous = 0restrict anonymous = 2Draw
Network security: Configure encryption types allowed for KerberosRC4, AES128, AES256AES128,AES256kerberos encryption types (G)allstrongDraw
Network security: Do not store LAN Manager hash value on next password changeEnabledEnabledlanman auth (G)nonoDraw
Network security: LAN Manager authentication levelSend NTLMv2 Response OnlySend NTLMv2 Response Onlyntlm auth (G)ntlmv2-onlyntlmv2-onlyDraw
Network security: Minimum session security for NTLM SSP based (including secure RPC) clientsRequire 128 Bit EncryptionRequire NTLMv2; Require 128 Bit Encryptionclient use spnego (G)yesyesDraw
Network security: Minimum session security for NTLM SSP based (including secure RPC) serversRequire 128 Bit EncryptionRequire NTLMv2; Require 128 Bit Encryptionraw NTLMv2 authnonoDraw
Microsoft network client: Send unencrypted password to connect to third-party SMB serversDisabledDisabledencrypt passwords (G)yesyesDraw
disable netbios (G)noyesnmbd service is disabled by defaultSamba, because it does not start NetBIOS by default.

I just want the config

For the lazy, here is the relevant configuration you can put into smb.conf if you want your Samba install to respect the same security directives as an hardened AD DS environment.

Don’t blame me if you blindly apply it and things stop working.

; security settings
allow dcerpc auth level connect = yes
server min protocol = SMB2_10
restrict anonymous = 2
client signing = required
client ipc signing = required
disable netbios = yes
kerberos encryption types = strong
server signing = mandatory

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Comments RSS Feed

Related Posts

Setting up a File Server using Samba

I wanted to migrate my existing Windows File Server to an open alternative, and being Samba the industry standard I decided to give it a go.In this article I will share what I learnt in the process, but first… Get your gears right The system I used is a Fedora […]

  • Linux
  • Samba

Setting up a Printer Server with CUPS

Printing in Linux Reading is very much like other activities, it comes better when you are doing it off a screen. But in order to do that, first you need to print. Enters the Common Unix Printing System; CUPS for friends.CUPS takes care to send whatever your client applications wants […]

  • CUPS
  • Linux

Using FreeRADIUS to perform EAP-TLS and PAP

In my journey to make CavanaSystems more open I wanted to replace my existing Microsoft NPS farm with a piece of Free Software… and found an amazing one! Make your requirements As with any IT project, you have to start with your requirements.Mine were:1. High Availability2. PAP will be used […]

  • FreeRADIUS
  • Linux
See all posts