Monday, August 14, 2017

Secure SaMBa Authentication Under Solaris 10

Secure SaMBa Authentication Under Solaris 10
Abstract
IBM created a proprietary file sharing protocol under DOS referred to as SMB. This was adopted by Microsoft, and it later became referred to as CIFS. Open Source developers took a portion of the file sharing suite an implemented it under a product called SaMBa. Solaris 10 ships with an installation of SaMBa to allow for rudimentary SMB and CIFS cfile sharing. Simple SaMBa Enabling under Solaris 10 was noted in a previous article. Signing SaMBa Packets Under Solaris 10 was noted in a later article. This article discusses using a more secure NTLMv2 Authentication Protocol, rather than the old LAN Manager hash.
Problem
Authentication is the first step in deciding whether access will be given to a network resource for a user. The original LAN Manager software uses an easy to crack hash for authentication, which can be easily determined over a network using a "sniffer", while NTLMv2 is more difficult to crack. This level of authentication should be disabled, to reduce the hacking vectors against the SaMBa server.
Solution:
The process of disabling LM (LAN Manager) Authentication to always force NTLMv2 (Windows NT LAN Manager Version 2) Authentication in SaMBa is as described below.
sun1234/root# cp -p /etc/sfw/smb.conf /etc/sfw/smb.conf.20170814
sun1234/root# ls -alid /etc/sfw/smb*
 956139 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf
 959534 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf.20170815
 956138 -rw-r--r-- 1 root root 10086 Apr 28 2011 /etc/sfw/smb.conf.ad
 956137 -rw-r--r-- 1 root root 10089 Feb 19 2013 /etc/sfw/smb.conf.ges
Correct in the "Global" section and review the smb.conf file
sun1234/root# more /etc/sfw/smb.conf
...
[global]
...
# Disable LANMAN Authentication In Samba
# Add the following line in the smb.conf's global section:
   lanman auth = No
Enable the changes:
sun1234/root# svcs samba
STATE          STIME    FMRI
online         14:31:56 svc:/network/samba:default
sun1593/root# svcadm disable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
disabled       17:54:55 svc:/network/samba:default
sun1593/root# svcs enable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
online         17:54:59 svc:/network/samba:default
Conclusions:
SaMBa can be easily secured from the Service Management facility.

Signing SaMBa Under Solaris 10

Signing SaMBa under Solaris 10
Abstract:
IBM created a proprietary file sharing protocol under DOS referred to as SMB. This was adopted by Microsoft, and it later became referred to as CIFS. Open Source developers took a portion of the file sharing suite an implemented it under a product called SaMBa. Solaris 10 ships with an installation of SaMBa to allow for rudimentary SMB and CIFS cfile sharing. Simple SaMBa Enabling under Solaris 10 was noted in a previous article. This article discussing signing.


Problem:
SMB protocol is subject to "man in the middle" attacks. Newer versions of Microsoft Windows offer different levels of packet signing and ultimately packet encryption. In order to maintain compatibility, Packets can have Signing enabled.

Solution:
The process for enabling signing is below.
sun1234/root# cp -p /etc/sfw/smb.conf /etc/sfw/smb.conf.20170814
sun1234/root# ls -alid /etc/sfw/smb*
 956139 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf
 959534 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf.20170814
 956138 -rw-r--r-- 1 root root 10086 Apr 28 2011 /etc/sfw/smb.conf.ad
 956137 -rw-r--r-- 1 root root 10089 Feb 19 2013 /etc/sfw/smb.conf.ges


Correct and review the smb.conf file
sun1234/root# more /etc/sfw/smb.conf
...
[global]
...
# Configure SMB signing for Samba
#
# Configure Samba to enable or require SMB signing as appropriate.
# To enable SMB signing, put the following in the Samba config file,
# typically smb.conf, in the global section:
;  server signing = auto
# To require SMB signing, put the following in the Samba config file,
# typically smb.conf, in the global section:
   server signing = mandatory
Enable the changes:
sun1234/root# svcs samba
STATE          STIME    FMRI
online         Apr_27   svc:/network/samba:default
sun1593/root# svcadm disable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
online*        14:31:20 svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
disabled       14:31:25 svc:/network/samba:default
sun1593/root# svcs enable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
online         14:31:56 svc:/network/samba:default
Conclusions:
SaMBa can be easily secured from the Service Management facility.