From 99bde6889d3d8b7a9e950c86c30e82662e1dacdd Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 9 Sep 2003 02:58:53 +0000 Subject: syncing files from 3.0 into HEAD again (This used to be commit bca0bba209255d0effbae6a3d3b6d298f0952c3a) --- docs/docbook/projdoc/securing-samba.xml | 75 ++++++++++++++++++--------------- 1 file changed, 41 insertions(+), 34 deletions(-) (limited to 'docs/docbook/projdoc/securing-samba.xml') diff --git a/docs/docbook/projdoc/securing-samba.xml b/docs/docbook/projdoc/securing-samba.xml index bed4e4ee56..d59b0f381e 100644 --- a/docs/docbook/projdoc/securing-samba.xml +++ b/docs/docbook/projdoc/securing-samba.xml @@ -49,8 +49,8 @@ Samba may be secured from connections that originate from outside the local netw done using host based protection (using samba's implementation of a technology known as "tcpwrappers", or it may be done be using interface based exclusion so that &smbd; will bind only to specifically permitted interfaces. It is also -possible to set specific share or resource based exclusions, eg: on the IPC$ -auto-share. The IPC$ share is used for browsing purposes as well as to establish +possible to set specific share or resource based exclusions, eg: on the [IPC$] +auto-share. The [IPC$] share is used for browsing purposes as well as to establish TCP/IP connections. @@ -85,16 +85,16 @@ before someone will find yet another vulnerability. - One of the simplest fixes in this case is to use the hosts allow and - hosts deny options in the Samba &smb.conf; configuration file to only + One of the simplest fixes in this case is to use the hosts allow and + hosts deny options in the Samba &smb.conf; configuration file to only allow access to your server from a specific range of hosts. An example might be: - - hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24 - hosts deny = 0.0.0.0/0 - + +hosts allow127.0.0.1 192.168.2.0/24 192.168.3.0/24 +hosts deny0.0.0.0/0 + The above will only allow SMB connections from 'localhost' (your own @@ -111,12 +111,12 @@ before someone will find yet another vulnerability. If you want to restrict access to your server to valid users only then the following - method may be of use. In the &smb.conf; [globals] section put: + method may be of use. In the &smb.conf; [global] section put: - - valid users = @smbusers, jacko - + +valid users@smbusers, jacko + What this does is, it restricts all server access to either the user jacko @@ -140,10 +140,10 @@ before someone will find yet another vulnerability. You can change this behaviour using options like the following: - - interfaces = eth* lo - bind interfaces only = yes - + +interfaceseth* lo +bind interfaces onlyyes + This tells Samba to only listen for connections on interfaces with a @@ -209,11 +209,11 @@ before someone will find yet another vulnerability. To do that you could use: - -[ipc$] - hosts allow = 192.168.115.0/24 127.0.0.1 - hosts deny = 0.0.0.0/0 - + +[ipc$] +hosts allow192.168.115.0/24 127.0.0.1 +hosts deny0.0.0.0/0 + this would tell Samba that IPC$ connections are not allowed from @@ -245,23 +245,30 @@ before someone will find yet another vulnerability. To configure NTLMv2 authentication the following registry keys are worth knowing about: - - + [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "lmcompatibilitylevel"=dword:00000003 + + + 0x3 - Send NTLMv2 response only. Clients will use NTLMv2 authentication, use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM and NTLMv2 authentication. + + + [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0] "NtlmMinClientSec"=dword:00080000 + + + 0x80000 - NTLMv2 session security. If either NtlmMinClientSec or NtlmMinServerSec is set to 0x80000, the connection will fail if NTLMv2 session security is not negotiated. - @@ -270,10 +277,10 @@ before someone will find yet another vulnerability. Upgrading Samba -Please check regularly on http://www.samba.org/ for updates and +Please check regularly on http://www.samba.org/ for updates and important announcements. Occasionally security releases are made and it is highly recommended to upgrade Samba when a security vulnerability -is discovered. +is discovered. Check with your OS vendor for OS specific upgrades. @@ -346,21 +353,21 @@ out to be a security problem request are totally convinced that the problem is w Samba does allow the setup you require when you have set the - only user = yes option on the share, is that you have not set the + only useryes option on the share, is that you have not set the valid users list for the share. Note that only user works in conjunction with the users= list, so to get the behavior you require, add the line : - - users = %S - + +users%S + this is equivalent to: - - valid users = %S - - to the definition of the [homes] share, as recommended in + +valid users%S + + to the definition of the [homes] share, as recommended in the &smb.conf; man page. -- cgit