.. Reminder for header structure: Parts (H1) : #################### with overline Chapters (H2) : ******************** with overline Sections (H3) : ==================== Subsections (H4) : -------------------- Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^ Paragraphs (H6) : """"""""""""""""""""" .. |date| date:: .. meta:: :description: Reinforcing the security of your Samba Active Directory domain :keywords: security, Samba-AD, documentation .. _samba_active_directory_security_tips: ############################################################## Reinforcing the security of your Samba Active Directory domain ############################################################## ************************************ Turning off null session connections ************************************ .. hint:: Samba-AD inherits NT4 domain behavior that is no longer needed in Active Directory mode. Indeed, one can retrieve the list of users without being logged on the domain, which is not very elegant. For example, the following command returns all domain users (replace the IP address with your domain controller’s IP address and press :kbd:`Enter` at the time of prompt): .. code-block:: bash rpcclient -U "" -c enumdomusers 10.0.0.11 * to avoid this listing, add the following line in the ``[global]`` section of :file:`/etc/samba/smb.conf`: .. code-block:: ini restrict anonymous = 2 ******************* Turning off NetBIOS ******************* .. hint:: If the :abbr:`DNS (Domain Name Service)` configuration is correctly done, old NetBIOS protocols that are no longer needed may be disabled. * add in the ``[global]`` section of :file:`/etc/samba/smb.conf`: .. code-block:: ini disable netbios = yes smb ports = 445 ************************* Disabling printer support ************************* .. hint:: The Domain Controller should not be configured with the print server role. A Samba server configured as a file server is better suited for this function. * disable the *printing* role which is active by default with Samba, add in the ``[global]`` section of :file:`/etc/samba/smb.conf`: .. code-block:: ini printcap name = /dev/null load printers = no disable spoolss = yes printing = bsd ****************** Turning off NTLMv1 ****************** The NTLMv1 authentication protocol dates back to the early 1990s and was quickly replaced by NTLMv2 due to its security flaws. It is no longer useful on modern networks except when using MS-CHAP-v2 which is the default protocol for 802.1x authentication on Windows workstations (e.g. Radius authentication for WiFi connections). In this case of MS-CHAP-v2, the use of NTLMv1 can be tolerated to a certain extent because it is encapsulated in another more robust protocol. Samba has an option to disable NTLMv1 globally unless it is used for MS-CHAP-v2 authentication. It is thus advised to add the following parameter to your file :file:`/etc/samba/smb.conf`. .. code-block:: ini [global] ... ntlm auth = mschapv2-and-ntlmv2-only *************************************************************************** Replacing the certificate with a certificate validated by your Organization *************************************************************************** .. hint:: Unlike Microsoft AD, Samba-AD enables LDAP STARTTLS and LDAPS support by default. A self-signed certificate is generated during installation. It is important to replace it with a certificate valid within your organization. * Add the following directives to :file:`/etc/samba/smb.conf` and customize them for your context: .. code-block:: ini [global] ... tls enabled = yes tls keyfile = /etc/samba/tls/srvads.mydomain.lan.key tls certfile = /etc/samba/tls/srvads.mydomain.lan.crt tls cafile = /etc/samba/tls/mondomaine_CA.crt ************************************* Generating additional password hashes ************************************* .. hint:: It is common for an authentication LDAP to exist in parallel with your Active Directory. To allow *hashes* to be transferred to another authentication base, it is possible to ask Samba-AD to generate additional *hashes* when a user changes her password. * Add the following line to :file:`/etc/samba/smb.conf`: .. code-block:: ini [global] ... password hash userPassword schemes = CryptSHA256 CryptSHA512 ************************************* Protecting DNS fields wpad and isatap ************************************* Windows AD servers have a DNS Global Query Block List with two entries: * ``wpad``; * ``isatap``; The registry key ``GlobalQueryBlockList`` lists these two DNS records to prevent an unauthorized entity acting on the local network from creating these records and the rerouting network traffic. The Web Proxy Auto-Discovery Protocol (WPAD) is configured by default on the WPAD browsers, in particular on the **Internet Explorer** browsers. Even if the ``wpad`` and ``isatap`` configurations are not used, it is still important to create these two entries to prevent them from being used in a roundabout way because in Samba-AD, there is no way to block the creation of entries as with Microsoft-AD. To lean more: https://technet.microsoft.com/en-us/library/cc794902%28v=ws.10%29.aspx .. code-block:: bash samba-tool dns add `hostname -s` `hostname -d` wpad A 127.0.0.1 -P samba-tool dns add `hostname -s` `hostname -d` isatap A 127.0.0.1 -P *********************************** Limiting the range of dynamic ports *********************************** By default Active Directory uses a very wide dynamic range for :abbr:`MS-RPC (Microsoft Remote Procedure Call)` calls. It is possible and recommended to restrict this range. * To do this, add the following line to the ``[global]`` section of the :file:`/etc/samba/smb.conf` file: .. code-block:: ini rpc server dynamic port range = 50000-55000 * Then reconfigure the firewall to limit the range of open ports: .. code-block:: bash firewall-cmd --zone=public --remove-port=49152-65535/tcp --permanent firewall-cmd --zone=public --add-port=50000-50500/tcp --permanent ********************************************** Limiting the subnets that can do DNS recursion ********************************************** In the *named* configuration, replace the following line: .. code-block:: ini allow-query { any; }; ... with the list of authorized sub-networks: .. code-block:: bash allow-query { 10.40.0.0/16; 10.20.0.0/16; }; .. _audit_samba_bind: ************************* Auditing DNS Bind queries ************************* Enabling DNS Bind query logging =============================== In the following configuration we will configure the DNS Bind service to log all the DNS requests that come to the server. These requests can then be sent to a log concentrator. * Create the files :file:`/var/log/bind/audit.log` and :file:`/var/log/bind/requests.log`: .. code-block:: bash mkdir -p /var/log/bind/ touch /var/log/bind/audit.log touch /var/log/bind/requests.log chown -R bind /var/log/bind chmod u+rw /var/log/bind * Create a log configuration file :file:`/etc/named/log.conf` that we will include in the Bind9 configuration: .. code-block:: ini logging { channel default_syslog { // standard syslog logging syslog local2; }; channel audit_log { // audit log except DNS requests file "/var/log/bind/audit.log" size 10m; severity debug; print-category yes; print-severity yes; print-time yes; }; channel requests_log { // DNS requests logging file "/var/log/bind/requests.log" size 10m; severity debug; print-time yes; print-category yes; print-severity yes; }; channel null { null; }; category default { default_syslog; }; category general { audit_log; }; category security { audit_log; }; category config { audit_log; }; category resolver { audit_log; }; category xfer-in { audit_log; }; category xfer-out { audit_log; }; category notify { audit_log; }; category client { audit_log; }; category network { audit_log; }; category update { audit_log; }; category queries { requests_log; audit_log; }; category lame-servers { null; }; }; * Include the configuration file in :file:`/etc/named.conf`: .. code-block:: ini # Debian include "/etc/bind/log.conf"; # RedHat8 and derived distributions include "/etc/named/log.conf"; * Create the files :file:`/var/log/bind/audit.log` and :file:`/var/log/bind/requests.log`: .. code-block:: ini # Debian chown bind:root "/var/log/bind/audit.log"; chown bind:root "/var/log/bind/requests.log"; # RedHat8 and derived distributions chown named:root "/var/log/bind/audit.log"; chown named:root "/var/log/bind/requests.log"; * Activate the DNS query log: .. code-block:: ini rndc querylog on * Restart **Bind9** and check that :program:`Bind9` is started: .. code-block:: bash systemctl restart named Enabling the rotation of Bind query history logs ================================================ The volume of log journals can grow very quickly with this kind of audit, so a daily rotation with a conservation of 7 days is put in place: * Create the file :file:`/etc/logrotate.d/bind`: .. code-block:: ini /var/log/bind/audit.log { daily missingok rotate 7 compress delaycompress notifempty create 644 bind bind postrotate systemctl reload bind9 > /dev/null endscript } /var/log/bind/requests.log { daily missingok rotate 7 compress delaycompress notifempty create 644 bind bind postrotate systemctl reload bind9 > /dev/null endscript } * Initiate the rotation of log journals: .. code-block:: bash logrotate -d /etc/logrotate.d/bind Disabling the rotation of Bind query history logs ================================================= * Relaunch the command with the argument **off**; .. code-block:: ini rndc querylog off .. _audit_samba_netlogon_sysvol: ************************************************** Auditing access to SYSVOL and NetLogon directories ************************************************** * Add in :file:`/etc/samba/smb.conf`: .. code-block:: ini [global] ... full_audit:failure = none full_audit:success = pwrite write renameat full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S full_audit:facility = local7 full_audit:priority = NOTICE * Then in the sections ``[sysvol]`` and ``[netlogon]``, add: .. code-block:: ini [sysvol] ... vfs objects = dfs_samba4, acl_xattr, full_audit [netlogon] ... vfs objects = dfs_samba4, acl_xattr, full_audit ******************************* Limiting kerberos cipher suites ******************************* The allowed kerberos cipher suite is controlled by a :file:`krb5.conf` file. There is a difference in the handling of this krb5.conf file depending on wether you are on a fileserver or a domain controller. Domain Controller ================= The :file:`krb5.conf` file that is used is :file:`/var/lib/samba/private/krb5.conf`. If you have followed this documentation, it should be a symlink to :file:`/etc/krb5.conf` file. So in order to limit the kerberos suite you have to modify that file. By default if you have only Win7 client or above, you can limit kerberos suite to AES only (``aes256-cts-hmac-sha1-96`` and ``aes128-cts-hmac-sha1-96``). If you still have legacy WinXP devices, or if you use :command:`pdbedit --set-nt-hash` for hash injection, you need to also keep ``arcfour-hmac-md5``. DES is disabled by default, cf https://wiki.samba.org/index.php/Samba_Security_Documentation#Kerberos_2. You can add that parameter to :file:`/etc/krb5.conf` file in order to restrict to AES only: .. code-block::bash [libdefaults] ... default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 ... This default parameters are not properly set in the LDAP tree. Indeed the default value for a new Samba domain controller is: :command:`msDS-SupportedEncryptionTypes: 31` (support for ``DES+A1:C33_CBC_MD5, DES_CBC_MD5, RC4, AES 128, AES 256``). It has to be changed to ``msDS-SupportedEncryptionTypes: 24`` to reflect the real value (support for ``AES 128, AES 256``). You might have false positive check from your DC security check tools if you keep the default value. This value is not used by the samba DC process itself. For more information about ``msDS-SupportedEncryptionTypes``, please see https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797. With GPO ======== Also, you can deploy a GPO named ``sec-EnforceAllowedEncryptionType``, and you can assigne it on your top level domain. Edit your object GPO, and go to ``Computer Configuration - Windows Settings - Security Settings - Local Policies - Security Options``. Modify ``Network Security: Configure Encryption types allowed for Kerberos``, and set it to ``AES128_HMAC_SHA1 - AES256_HMAC_SHA1 - Future encryption types``. File Server =========== The :file:`/run/samba/smb_krb5/krb5.conf.` file is created at smbd/winbind startup and used for kerberos configuration. The cipher suite is controlled by the ``kerberos encryption types`` parameter. Unless you still have WinXP devices on the network, you can use ``kerberos encryption types`` = **strong** to have AES128 and AES256 only ciphers. By default the ``kerberos encryption types`` = **all** default value allows old DES cipher which should better be disabled.