Reinforcing the security of your Samba Active Directory domain

Turning off null session connections

Hint

Samba-AD inherits NT4 domain behavior that is no longer needed in Active Directory mode.

Indeed, one can retrieve the list of users without being logged on the domain, which is not very elegant.

For example, the following command returns all domain users (replace the IP address with your domain controller’s IP address and press Enter at the time of prompt):

rpcclient -U "" -c enumdomusers 10.0.0.11
  • to avoid this listing, add the following line in the [global] section of /etc/samba/smb.conf:

    restrict anonymous = 2
    

Turning off NetBIOS

Hint

If the DNS configuration is correctly done, old NetBIOS protocols that are no longer needed may be disabled.

  • add in the [global] section of /etc/samba/smb.conf:

    disable netbios = yes
    smb ports = 445
    

Disabling printer support

Hint

The Domain Controller should not be configured with the print server role.

A Samba server configured as a file server is better suited for this function.

  • disable the printing role which is active by default with Samba, add in the [global] section of /etc/samba/smb.conf:

    printcap name = /dev/null
    load printers = no
    disable spoolss = yes
    printing = bsd
    

Turning off NTLMv1

The NTLMv1 authentication protocol dates back to the early 1990s and was quickly replaced by NTLMv2 due to its security flaws. It is no longer useful on modern networks except when using MS-CHAP-v2 which is the default protocol for 802.1x authentication on Windows workstations (e.g. Radius authentication for WiFi connections). In this case of MS-CHAP-v2, the use of NTLMv1 can be tolerated to a certain extent because it is encapsulated in another more robust protocol.

Samba has an option to disable NTLMv1 globally unless it is used for MS-CHAP-v2 authentication. It is thus advised to add the following parameter to your file /etc/samba/smb.conf.

[global]
...
ntlm auth = mschapv2-and-ntlmv2-only

Replacing the certificate with a certificate validated by your Organization

Hint

Unlike Microsoft AD, Samba-AD enables LDAP STARTTLS and LDAPS support by default. A self-signed certificate is generated during installation. It is important to replace it with a certificate valid within your organization.

  • Add the following directives to /etc/samba/smb.conf and customize them for your context:

    [global]
    ...
    tls enabled = yes
    tls keyfile = /etc/samba/tls/srvads.mydomain.lan.key
    tls certfile = /etc/samba/tls/srvads.mydomain.lan.crt
    tls cafile = /etc/samba/tls/mondomaine_CA.crt
    

Generating additional password hashes

Hint

It is common for an authentication LDAP to exist in parallel with your Active Directory. To allow hashes to be transferred to another authentication base, it is possible to ask Samba-AD to generate additional hashes when a user changes her password.

  • Add the following line to /etc/samba/smb.conf:

    [global]
    ...
    password hash userPassword schemes = CryptSHA256 CryptSHA512
    

Protecting DNS fields wpad and isatap

Windows AD servers have a DNS Global Query Block List with two entries:

  • wpad;

  • isatap;

The registry key GlobalQueryBlockList lists these two DNS records to prevent an unauthorized entity acting on the local network from creating these records and the rerouting network traffic. The Web Proxy Auto-Discovery Protocol (WPAD) is configured by default on the WPAD browsers, in particular on the Internet Explorer browsers.

Even if the wpad and isatap configurations are not used, it is still important to create these two entries to prevent them from being used in a roundabout way because in Samba-AD, there is no way to block the creation of entries as with Microsoft-AD.

To lean more:

https://technet.microsoft.com/en-us/library/cc794902%28v=ws.10%29.aspx

samba-tool dns add `hostname -s` `hostname -d` wpad A 127.0.0.1 -P
samba-tool dns add `hostname -s` `hostname -d` isatap A 127.0.0.1 -P

Limiting the range of dynamic ports

By default Active Directory uses a very wide dynamic range for MS-RPC calls.

It is possible and recommended to restrict this range.

  • To do this, add the following line to the [global] section of the /etc/samba/smb.conf file:

    rpc server dynamic port range = 50000-55000
    
  • Then reconfigure the firewall to limit the range of open ports:

    firewall-cmd --zone=public --remove-port=49152-65535/tcp --permanent
    firewall-cmd --zone=public --add-port=50000-50500/tcp --permanent
    

Limiting the subnets that can do DNS recursion

In the named configuration, replace the following line:

allow-query  { any; };

… with the list of authorized sub-networks:

allow-query { 10.40.0.0/16;
              10.20.0.0/16;
              };

Auditing DNS Bind queries

Enabling DNS Bind query logging

In the following configuration we will configure the DNS Bind service to log all the DNS requests that come to the server. These requests can then be sent to a log concentrator.

  • Create the files /var/log/bind/audit.log and /var/log/bind/requests.log:

    mkdir -p /var/log/bind/
    touch /var/log/bind/audit.log
    touch /var/log/bind/requests.log
    chown -R bind /var/log/bind
    chmod u+rw /var/log/bind
    
  • Create a log configuration file /etc/named/log.conf that we will include in the Bind9 configuration:

    logging {
         channel default_syslog {
                 // standard syslog logging
                 syslog local2;
         };
         channel audit_log {
                 // audit log except DNS requests
                 file "/var/log/bind/audit.log" size 10m;
                 severity debug;
                 print-category yes;
                 print-severity yes;
                 print-time yes;
         };
         channel requests_log {
                 // DNS requests logging
                 file "/var/log/bind/requests.log" size 10m;
                 severity debug;
                 print-time yes;
                 print-category yes;
                 print-severity yes;
         };
         channel null {
                 null;
         };
         category default { default_syslog; };
         category general { audit_log; };
         category security { audit_log; };
         category config { audit_log; };
         category resolver { audit_log; };
         category xfer-in { audit_log; };
         category xfer-out { audit_log; };
         category notify { audit_log; };
         category client { audit_log; };
         category network { audit_log; };
         category update { audit_log; };
         category queries { requests_log; audit_log; };
         category lame-servers { null; };
       };
    
  • Include the configuration file in /etc/named.conf:

    # Debian
    include "/etc/bind/log.conf";
    
    # RedHat8 and derived distributions
    include "/etc/named/log.conf";
    
  • Create the files /var/log/bind/audit.log and /var/log/bind/requests.log:

    # Debian
    chown bind:root "/var/log/bind/audit.log";
    chown bind:root "/var/log/bind/requests.log";
    
    # RedHat8 and derived distributions
    chown named:root "/var/log/bind/audit.log";
    chown named:root "/var/log/bind/requests.log";
    
  • Activate the DNS query log:

    rndc querylog on
    
  • Restart Bind9 and check that Bind9 is started:

    systemctl restart named
    

Enabling the rotation of Bind query history logs

The volume of log journals can grow very quickly with this kind of audit, so a daily rotation with a conservation of 7 days is put in place:

  • Create the file /etc/logrotate.d/bind:

    /var/log/bind/audit.log {
    daily
    missingok
    rotate 7
    compress
    delaycompress
    notifempty
    create 644 bind bind
    postrotate
    systemctl reload bind9 > /dev/null
    endscript
    }
    
    /var/log/bind/requests.log {
    daily
    missingok
    rotate 7
    compress
    delaycompress
    notifempty
    create 644 bind bind
    postrotate
    systemctl reload bind9 > /dev/null
    endscript
    }
    
  • Initiate the rotation of log journals:

    logrotate -d /etc/logrotate.d/bind
    

Disabling the rotation of Bind query history logs

  • Relaunch the command with the argument off;

    rndc querylog off
    

Auditing access to SYSVOL and NetLogon directories

  • Add in /etc/samba/smb.conf:

    [global]
    ...
    full_audit:failure = none
    full_audit:success = pwrite write renameat
    full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
    full_audit:facility = local7
    full_audit:priority = NOTICE
    
  • Then in the sections [sysvol] and [netlogon], add:

    [sysvol]
    ...
    vfs objects = dfs_samba4, acl_xattr, full_audit
    [netlogon]
    ...
    vfs objects = dfs_samba4, acl_xattr, full_audit
    

Limiting kerberos cipher suites

The allowed kerberos cipher suite is controlled by a krb5.conf file. There is a difference in the handling of this krb5.conf file depending on wether you are on a fileserver or a domain controller.

Domain Controller

The krb5.conf file that is used is /var/lib/samba/private/krb5.conf. If you have followed this documentation, it should be a symlink to /etc/krb5.conf file. So in order to limit the kerberos suite you have to modify that file.

By default if you have only Win7 client or above, you can limit kerberos suite to AES only (aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96). If you still have legacy WinXP devices, or if you use pdbedit --set-nt-hash for hash injection, you need to also keep arcfour-hmac-md5.

DES is disabled by default, cf https://wiki.samba.org/index.php/Samba_Security_Documentation#Kerberos_2.

You can add that parameter to /etc/krb5.conf file in order to restrict to AES only:

[libdefaults]
...
default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
...

This default parameters are not properly set in the LDAP tree. Indeed the default value for a new Samba domain controller is: msDS-SupportedEncryptionTypes: 31 (support for DES+A1:C33_CBC_MD5, DES_CBC_MD5, RC4, AES 128, AES 256). It has to be changed to msDS-SupportedEncryptionTypes: 24 to reflect the real value (support for AES 128, AES 256). You might have false positive check from your DC security check tools if you keep the default value. This value is not used by the samba DC process itself.

For more information about msDS-SupportedEncryptionTypes, please see https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797.

With GPO

Also, you can deploy a GPO named sec-EnforceAllowedEncryptionType, and you can assigne it on your top level domain.

Edit your object GPO, and go to Computer Configuration - Windows Settings - Security Settings - Local Policies - Security Options.

Modify Network Security: Configure Encryption types allowed for Kerberos, and set it to AES128_HMAC_SHA1 - AES256_HMAC_SHA1 - Future encryption types.

File Server

The /run/samba/smb_krb5/krb5.conf.<NETBIOS_DOMAIN_NAME> file is created at smbd/winbind startup and used for kerberos configuration. The cipher suite is controlled by the kerberos encryption types parameter. Unless you still have WinXP devices on the network, you can use kerberos encryption types = strong to have AES128 and AES256 only ciphers.

By default the kerberos encryption types = all default value allows old DES cipher which should better be disabled.