| blob | 4a21699c61ddb241a9c96d134365508b613aff56 |
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
4 <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
5 %global_entities;
6 ]>
8 <chapter id="securing-samba">
10 <chapterinfo>
11 &author.tridge;
12 &author.jht;
13 <pubdate>May 26, 2003</pubdate>
14 </chapterinfo>
16 <title>Securing Samba</title>
18 <sect1>
19 <title>Introduction</title>
20 <para>
21 This note was attached to the Samba 2.2.8 release notes as it contained an
22 important security fix. The information contained here applies to Samba
23 installations in general.
24 </para>
26 <blockquote>
27 <para>
28 A new apprentice reported for duty to the chief engineer of a boiler house. He said, <quote>Here I am,
29 if you will show me the boiler I'll start working on it.</quote> Then engineer replied, <quote>You're leaning
30 on it!</quote>
31 </para>
32 </blockquote>
34 <para>
35 Security concerns are just like that. You need to know a little about the subject to appreciate
36 how obvious most of it really is. The challenge for most of us is to discover that first morsel
37 of knowledge with which we may unlock the secrets of the masters.
38 </para>
40 </sect1>
42 <sect1>
43 <title>Features and Benefits</title>
45 <para>
46 There are three levels at which security principals must be observed in order to render a site
47 at least moderately secure. They are the perimeter firewall, the configuration of the host
48 server that is running Samba and Samba itself.
49 </para>
51 <para>
52 Samba permits a most flexible approach to network security. As far as possible Samba implements
53 the latest protocols to permit more secure MS Windows file and print operations.
54 </para>
56 <para>
57 Samba may be secured from connections that originate from outside the local network. This may be
58 done using <emphasis>host-based protection</emphasis> (using Samba's implementation of a technology
59 known as <quote>tcpwrappers,</quote> or it may be done be using <emphasis>interface-based exclusion</emphasis>
60 so &smbd; will bind only to specifically permitted interfaces. It is also
61 possible to set specific share or resource-based exclusions, for example on the <smbconfsection>[IPC$]</smbconfsection>
62 auto-share. The <smbconfsection>[IPC$]</smbconfsection> share is used for browsing purposes as well as to establish
63 TCP/IP connections.
64 </para>
66 <para>
67 Another method by which Samba may be secured is by setting Access Control Entries (ACEs) in an Access
68 Control List (ACL) on the shares themselves. This is discussed in <link linkend="AccessControls">File, Directory and Share Access Controls</link>.
69 </para>
71 </sect1>
73 <sect1>
74 <title>Technical Discussion of Protective Measures and Issues</title>
76 <para>
77 The key challenge of security is the fact that protective measures suffice at best
78 only to close the door on known exploits and breach techniques. Never assume that
79 because you have followed these few measures that the Samba server is now an impenetrable
80 fortress! Given the history of information systems so far, it is only a matter of time
81 before someone will find yet another vulnerability.
82 </para>
84 <sect2>
85 <title>Using Host-Based Protection</title>
87 <para>
88 In many installations of Samba, the greatest threat comes from outside
89 your immediate network. By default, Samba will accept connections from
90 any host, which means that if you run an insecure version of Samba on
91 a host that is directly connected to the Internet you can be
92 especially vulnerable.
93 </para>
95 <para>
96 One of the simplest fixes in this case is to use the <smbconfoption><name>hosts allow</name></smbconfoption> and
97 <smbconfoption><name>hosts deny</name></smbconfoption> options in the Samba &smb.conf; configuration file to only
98 allow access to your server from a specific range of hosts. An example might be:
99 </para>
101 <para><smbconfblock>
102 <smbconfoption><name>hosts allow</name><value>127.0.0.1 192.168.2.0/24 192.168.3.0/24</value></smbconfoption>
103 <smbconfoption><name>hosts deny</name><value>0.0.0.0/0</value></smbconfoption>
104 </smbconfblock></para>
106 <para>
107 The above will only allow SMB connections from <constant>localhost</constant> (your own
108 computer) and from the two private networks 192.168.2 and 192.168.3. All other
109 connections will be refused as soon as the client sends its first packet. The refusal
110 will be marked as <errorname>not listening on called name</errorname> error.
111 </para>
113 </sect2>
115 <sect2>
116 <title>User-Based Protection</title>
118 <para>
119 If you want to restrict access to your server to valid users only, then the following
120 method may be of use. In the &smb.conf; <smbconfsection>[global]</smbconfsection> section put:
121 </para>
123 <para><smbconfblock>
124 <smbconfoption><name>valid users</name><value>@smbusers, jacko</value></smbconfoption>
125 </smbconfblock></para>
127 <para>
128 This restricts all server access to either the user <emphasis>jacko</emphasis>
129 or to members of the system group <emphasis>smbusers</emphasis>.
130 </para>
132 </sect2>
134 <sect2>
136 <title>Using Interface Protection</title>
138 <para>
139 By default, Samba will accept connections on any network interface that
140 it finds on your system. That means if you have a ISDN line or a PPP
141 connection to the Internet then Samba will accept connections on those
142 links. This may not be what you want.
143 </para>
145 <para>
146 You can change this behavior using options like this:
147 </para>
149 <para><smbconfblock>
150 <smbconfoption><name>interfaces</name><value>eth* lo</value></smbconfoption>
151 <smbconfoption><name>bind interfaces only</name><value>yes</value></smbconfoption>
152 </smbconfblock></para>
154 <para>
155 This tells Samba to only listen for connections on interfaces with a
156 name starting with <constant>eth</constant> such as <constant>eth0, eth1</constant> plus on the loopback
157 interface called <constant>lo</constant>. The name you will need to use depends on what
158 OS you are using. In the above, I used the common name for Ethernet
159 adapters on Linux.
160 </para>
162 <para>
163 If you use the above and someone tries to make an SMB connection to
164 your host over a PPP interface called <constant>ppp0,</constant> then they will get a TCP
165 connection refused reply. In that case, no Samba code is run at all as
166 the operating system has been told not to pass connections from that
167 interface to any Samba process.
168 </para>
170 </sect2>
172 <sect2>
173 <title>Using a Firewall</title>
175 <para>
176 Many people use a firewall to deny access to services they do not
177 want exposed outside their network. This can be a good idea,
178 although I recommend using it in conjunction with the above
179 methods so you are protected even if your firewall is not active
180 for some reason.
181 </para>
183 <para>
184 If you are setting up a firewall, you need to know what TCP and
185 UDP ports to allow and block. Samba uses the following:
186 </para>
188 <simplelist>
189 <member>UDP/137 - used by nmbd</member>
190 <member>UDP/138 - used by nmbd</member>
191 <member>TCP/139 - used by smbd</member>
192 <member>TCP/445 - used by smbd</member>
193 </simplelist>
195 <para>
196 The last one is important as many older firewall setups may not be
197 aware of it, given that this port was only added to the protocol in
198 recent years.
199 </para>
201 </sect2>
203 <sect2>
204 <title>Using IPC$ Share-Based Denials </title>
206 <para>
207 If the above methods are not suitable, then you could also place a
208 more specific deny on the IPC$ share that is used in the recently
209 discovered security hole. This allows you to offer access to other
210 shares while denying access to IPC$ from potentially un-trustworthy
211 hosts.
212 </para>
214 <para>
215 To do this you could use:
216 </para>
218 <para><smbconfblock>
219 <smbconfsection>[IPC$]</smbconfsection>
220 <smbconfoption><name>hosts allow</name><value>192.168.115.0/24 127.0.0.1</value></smbconfoption>
221 <smbconfoption><name>hosts deny</name><value>0.0.0.0/0</value></smbconfoption>
222 </smbconfblock></para>
224 <para>
225 This instructs Samba that IPC$ connections are not allowed from
226 anywhere except from the two listed network addresses (localhost and the 192.168.115
227 subnet). Connections to other shares are still allowed. As the
228 IPC$ share is the only share that is always accessible anonymously,
229 this provides some level of protection against attackers that do not
230 know a valid username/password for your host.
231 </para>
233 <para>
234 If you use this method, then clients will be given an <errorname>`access denied'</errorname>
235 reply when they try to access the IPC$ share. Those clients will not be able to
236 browse shares, and may also be unable to access some other resources. This is not
237 recommended unless you cannot use one of the other methods listed above for some reason.
238 </para>
240 </sect2>
242 <sect2>
243 <title>NTLMv2 Security</title>
245 <para>
246 To configure NTLMv2 authentication, the following registry keys are worth knowing about:
247 </para>
249 <para>
250 <screen>
251 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
252 "lmcompatibilitylevel"=dword:00000003
253 </screen>
254 </para>
256 <para>
257 The value 0x00000003 means send NTLMv2 response only. Clients will use NTLMv2 authentication,
258 use NTLMv2 session security if the server supports it. Domain Controllers accept LM,
259 NTLM and NTLMv2 authentication.
260 </para>
262 <para>
263 <screen>
264 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
265 "NtlmMinClientSec"=dword:00080000
266 </screen>
267 </para>
269 <para>
270 The value 0x00080000 means permit only NTLMv2 session security. If either NtlmMinClientSec or
271 NtlmMinServerSec is set to 0x00080000, the connection will fail if NTLMv2
272 session security is not negotiated.
273 </para>
274 </sect2>
275 </sect1>
277 <sect1>
278 <title>Upgrading Samba</title>
280 <para>
281 Please check regularly on <ulink noescape="1" url="http://www.samba.org/">http://www.samba.org/</ulink> for updates and
282 important announcements. Occasionally security releases are made and
283 it is highly recommended to upgrade Samba when a security vulnerability
284 is discovered. Check with your OS vendor for OS specific upgrades.
285 </para>
287 </sect1>
289 <sect1>
290 <title>Common Errors</title>
292 <para>
293 If all of Samba and host platform configuration were really as intuitive as one might like them to be, this
294 section would not be necessary. Security issues are often vexing for a support person to resolve, not
295 because of the complexity of the problem, but for the reason that most administrators who post what turns
296 out to be a security problem request are totally convinced that the problem is with Samba.
297 </para>
299 <sect2>
300 <title>Smbclient Works on Localhost, but the Network Is Dead</title>
302 <para>
303 This is a common problem. Red Hat Linux (and others) installs a default firewall.
304 With the default firewall in place, only traffic on the loopback adapter (IP address 127.0.0.1)
305 is allowed through the firewall.
306 </para>
308 <para>
309 The solution is either to remove the firewall (stop it) or modify the firewall script to
310 allow SMB networking traffic through. See section above in this chapter.
311 </para>
313 </sect2>
315 <sect2>
316 <title>Why Can Users Access Home Directories of Other Users?</title>
318 <para>
319 <quote>
320 We are unable to keep individual users from mapping to any other user's
321 home directory once they have supplied a valid password! They only need
322 to enter their own password. I have not found any method to configure
323 Samba so that users may map only their own home directory.
324 </quote>
325 </para>
327 <para><quote>
328 User xyzzy can map his home directory. Once mapped user xyzzy can also map
329 anyone else's home directory.
330 </quote></para>
332 <para>
333 This is not a security flaw, it is by design. Samba allows users to have
334 exactly the same access to the UNIX file system as when they were logged
335 onto the UNIX box, except that it only allows such views onto the file
336 system as are allowed by the defined shares.
337 </para>
339 <para>
340 If your UNIX home directories are set up so that one user can happily <command>cd</command>
341 into another users directory and execute <command>ls</command>, the UNIX security solution is to change file
342 permissions on the user's home directories such that the <command>cd</command> and <command>ls</command> are denied.
343 </para>
345 <para>
346 Samba tries very hard not to second guess the UNIX administrators security policies, and
347 trusts the UNIX admin to set the policies and permissions he or she desires.
348 </para>
350 <para>
351 Samba allows the behavior you require. Simply put the <smbconfoption><name>only user</name><value>%S</value></smbconfoption>
352 option in the <smbconfsection>[homes]</smbconfsection> share definition.
353 </para>
355 <para>
356 The <smbconfoption><name>only user</name><value></value></smbconfoption> works in conjunction with the <smbconfoption><name>users</name><value>list</value></smbconfoption>,
357 so to get the behavior you require, add the line :
358 <smbconfblock>
359 <smbconfoption><name>users</name><value>%S</value></smbconfoption>
360 </smbconfblock>
361 this is equivalent to adding
362 <smbconfblock>
363 <smbconfoption><name>valid users</name><value>%S</value></smbconfoption>
364 </smbconfblock>
365 to the definition of the <smbconfsection>[homes]</smbconfsection> share, as recommended in
366 the &smb.conf; man page.
367 </para>
368 </sect2>
370 </sect1>
371 </chapter>