Reinforcing the security of your Samba Active Directory domain
Turning off null session connections
Hint
Samba-AD inherits NT4 domain behavior that is no longer needed in Active Directory mode.
Indeed, one can retrieve the list of users without being logged on the domain, which is not very elegant.
For example, the following command returns all domain users (replace the IP address with your domain controller’s IP address and press Enter at the time of prompt):
rpcclient -U "" -c enumdomusers 10.0.0.11
to avoid this listing, add the following line in the
[global]section of/etc/samba/smb.conf:restrict anonymous = 2
Turning off NetBIOS
Hint
If the DNS configuration is correctly done, old NetBIOS protocols that are no longer needed may be disabled.
add in the
[global]section of/etc/samba/smb.conf:disable netbios = yes smb ports = 445
Disabling printer support
Hint
The Domain Controller should not be configured with the print server role.
A Samba server configured as a file server is better suited for this function.
disable the printing role which is active by default with Samba, add in the
[global]section of/etc/samba/smb.conf:printcap name = /dev/null load printers = no disable spoolss = yes printing = bsd
Turning off NTLMv1
The NTLMv1 authentication protocol dates back to the early 1990s and was quickly replaced by NTLMv2 due to its security flaws. It is no longer useful on modern networks except when using MS-CHAP-v2 which is the default protocol for 802.1x authentication on Windows workstations (e.g. Radius authentication for WiFi connections). In this case of MS-CHAP-v2, the use of NTLMv1 can be tolerated to a certain extent because it is encapsulated in another more robust protocol.
Samba has an option to disable NTLMv1 globally unless it is used for MS-CHAP-v2 authentication.
It is thus advised to add the following parameter to your file /etc/samba/smb.conf.
[global]
...
ntlm auth = mschapv2-and-ntlmv2-only
Replacing the certificate with a certificate validated by your Organization
Hint
Unlike Microsoft AD, Samba-AD enables LDAP STARTTLS and LDAPS support by default. A self-signed certificate is generated during installation. It is important to replace it with a certificate valid within your organization.
Add the following directives to
/etc/samba/smb.confand customize them for your context:[global] ... tls enabled = yes tls keyfile = /etc/samba/tls/srvads.mydomain.lan.key tls certfile = /etc/samba/tls/srvads.mydomain.lan.crt tls cafile = /etc/samba/tls/mondomaine_CA.crt
Generating additional password hashes
Hint
It is common for an authentication LDAP to exist in parallel with your Active Directory. To allow hashes to be transferred to another authentication base, it is possible to ask Samba-AD to generate additional hashes when a user changes her password.
Add the following line to
/etc/samba/smb.conf:[global] ... password hash userPassword schemes = CryptSHA256 CryptSHA512
Protecting DNS fields wpad and isatap
Windows AD servers have a DNS Global Query Block List with two entries:
wpad;isatap;
The registry key GlobalQueryBlockList lists these two DNS records to prevent an unauthorized entity acting on the local network from creating these records and the rerouting network traffic.
The Web Proxy Auto-Discovery Protocol (WPAD) is configured by default on the WPAD browsers, in particular on the Internet Explorer browsers.
Even if the wpad and isatap configurations are not used, it is still important to create these two entries to prevent them from being used in a roundabout way because in Samba-AD, there is no way to block the creation of entries as with Microsoft-AD.
To lean more:
https://technet.microsoft.com/en-us/library/cc794902%28v=ws.10%29.aspx
samba-tool dns add `hostname -s` `hostname -d` wpad A 127.0.0.1 -P
samba-tool dns add `hostname -s` `hostname -d` isatap A 127.0.0.1 -P
Limiting the range of dynamic ports
By default Active Directory uses a very wide dynamic range for MS-RPC calls.
It is possible and recommended to restrict this range.
To do this, add the following line to the
[global]section of the/etc/samba/smb.conffile:rpc server dynamic port range = 50000-55000
Then reconfigure the firewall to limit the range of open ports:
firewall-cmd --zone=public --remove-port=49152-65535/tcp --permanent firewall-cmd --zone=public --add-port=50000-50500/tcp --permanent
Limiting the subnets that can do DNS recursion
In the named configuration, replace the following line:
allow-query { any; };
… with the list of authorized sub-networks:
allow-query { 10.40.0.0/16;
10.20.0.0/16;
};
Auditing DNS Bind queries
Enabling DNS Bind query logging
In the following configuration we will configure the DNS Bind service to log all the DNS requests that come to the server. These requests can then be sent to a log concentrator.
Create the files
/var/log/bind/audit.logand/var/log/bind/requests.log:mkdir -p /var/log/bind/ touch /var/log/bind/audit.log touch /var/log/bind/requests.log chown -R bind /var/log/bind chmod u+rw /var/log/bind
Create a log configuration file
/etc/named/log.confthat we will include in the Bind9 configuration:logging { channel default_syslog { // standard syslog logging syslog local2; }; channel audit_log { // audit log except DNS requests file "/var/log/bind/audit.log" size 10m; severity debug; print-category yes; print-severity yes; print-time yes; }; channel requests_log { // DNS requests logging file "/var/log/bind/requests.log" size 10m; severity debug; print-time yes; print-category yes; print-severity yes; }; channel null { null; }; category default { default_syslog; }; category general { audit_log; }; category security { audit_log; }; category config { audit_log; }; category resolver { audit_log; }; category xfer-in { audit_log; }; category xfer-out { audit_log; }; category notify { audit_log; }; category client { audit_log; }; category network { audit_log; }; category update { audit_log; }; category queries { requests_log; audit_log; }; category lame-servers { null; }; };
Include the configuration file in
/etc/named.conf:# Debian include "/etc/bind/log.conf"; # RedHat8 and derived distributions include "/etc/named/log.conf";
Create the files
/var/log/bind/audit.logand/var/log/bind/requests.log:# Debian chown bind:root "/var/log/bind/audit.log"; chown bind:root "/var/log/bind/requests.log"; # RedHat8 and derived distributions chown named:root "/var/log/bind/audit.log"; chown named:root "/var/log/bind/requests.log";
Activate the DNS query log:
rndc querylog onRestart Bind9 and check that Bind9 is started:
systemctl restart named
Enabling the rotation of Bind query history logs
The volume of log journals can grow very quickly with this kind of audit, so a daily rotation with a conservation of 7 days is put in place:
Create the file
/etc/logrotate.d/bind:/var/log/bind/audit.log { daily missingok rotate 7 compress delaycompress notifempty create 644 bind bind postrotate systemctl reload bind9 > /dev/null endscript } /var/log/bind/requests.log { daily missingok rotate 7 compress delaycompress notifempty create 644 bind bind postrotate systemctl reload bind9 > /dev/null endscript }
Initiate the rotation of log journals:
logrotate -d /etc/logrotate.d/bind
Disabling the rotation of Bind query history logs
Relaunch the command with the argument off;
rndc querylog off
Auditing access to SYSVOL and NetLogon directories
Add in
/etc/samba/smb.conf:[global] ... full_audit:failure = none full_audit:success = pwrite write renameat full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S full_audit:facility = local7 full_audit:priority = NOTICE
Then in the sections
[sysvol]and[netlogon], add:[sysvol] ... vfs objects = dfs_samba4, acl_xattr, full_audit [netlogon] ... vfs objects = dfs_samba4, acl_xattr, full_audit
Limiting kerberos cipher suites
The allowed kerberos cipher suite is controlled by a krb5.conf file.
There is a difference in the handling of this krb5.conf file depending on wether you are on a fileserver or a domain controller.
Domain Controller
The krb5.conf file that is used is /var/lib/samba/private/krb5.conf.
If you have followed this documentation, it should be a symlink to /etc/krb5.conf file.
So in order to limit the kerberos suite you have to modify that file.
By default if you have only Win7 client or above, you can limit kerberos suite to AES only (aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96).
If you still have legacy WinXP devices, or if you use pdbedit --set-nt-hash for hash injection, you need to also keep arcfour-hmac-md5.
DES is disabled by default, cf https://wiki.samba.org/index.php/Samba_Security_Documentation#Kerberos_2.
You can add that parameter to /etc/krb5.conf file in order to restrict to AES only:
This default parameters are not properly set in the LDAP tree.
Indeed the default value for a new Samba domain controller is: msDS-SupportedEncryptionTypes: 31 (support for DES+A1:C33_CBC_MD5, DES_CBC_MD5, RC4, AES 128, AES 256).
It has to be changed to msDS-SupportedEncryptionTypes: 24 to reflect the real value (support for AES 128, AES 256).
You might have false positive check from your DC security check tools if you keep the default value.
This value is not used by the samba DC process itself.
For more information about msDS-SupportedEncryptionTypes, please see https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797.
With GPO
Also, you can deploy a GPO named sec-EnforceAllowedEncryptionType, and you can assigne it on your top level domain.
Edit your object GPO, and go to Computer Configuration - Windows Settings - Security Settings - Local Policies - Security Options.
Modify Network Security: Configure Encryption types allowed for Kerberos, and set it to AES128_HMAC_SHA1 - AES256_HMAC_SHA1 - Future encryption types.
File Server
The /run/samba/smb_krb5/krb5.conf.<NETBIOS_DOMAIN_NAME> file is created at smbd/winbind startup and used for kerberos configuration.
The cipher suite is controlled by the kerberos encryption types parameter.
Unless you still have WinXP devices on the network, you can use kerberos encryption types = strong to have AES128 and AES256 only ciphers.
By default the kerberos encryption types = all default value allows old DES cipher which should better be disabled.