Securing Samba

Changing some of the options may break compatibility with Windows XP and older versions of Samba may not support some of the above options.

 Optimal settings overview
a) lanman auth = No (prevents use of weak password hashes, breaks compatibility with XP, unless XP registry hack has been applied)
b) encrypt passwords = Yes (encrypts password, hash is easy to crack, this is why we set lanman auth, see above, to No)
c) ntlm auth = No (If this option, and lanman auth are both disabled, then only NTLMv2 logins will be permitted Not all clients support NTLMv2, and most will require special configuration to use it.)
d) client NTLMv2 auth = Yes (setting this means only NTLMv2 logins will be attempted & disables NTLMv1, client lanman & client plaintext )
e) client lanman auth = No (prevents smb clients  & tools from using weak password hash, disabling this option will also disable the client plaintext auth option below.)
f) client plaintext auth = No (this will be disabled when client NTLMv2 auth is enabled)
g) workgroup = xxx
h) realm = xxx.LOCAL
i) security = ADS
j) bind interfaces only = Yes (When set, you specify the interface/s with interfaces = 10.1.250.9 for example)
k) hosts allow = xxx.xx.xxx. xxx.xx.xxx. 127. 10. 192.168.

From:
encrypt passwords = Yes
lanman auth = Yes
ntlm auth = Yes
client NTLMv2 auth = No
client lanman auth = Yes
client plaintext auth = Yes

To:
encrypt passwords = Yes
lanman auth = No
ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
bind interfaces only = yes
interfaces = xx.xx.xx.xx
hosts allow = xxx.xx.xxx. xxx.xx.xxx. 127. 10. 192.168.

Advertisements

About hedscratchers

A UK ex-pat now living in the USA.
This entry was posted in Linux & Solaris. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s