Monday, August 14, 2017

Secure SaMBa Authentication Under Solaris 10

Secure SaMBa Authentication Under Solaris 10
Abstract
IBM created a proprietary file sharing protocol under DOS referred to as SMB. This was adopted by Microsoft, and it later became referred to as CIFS. Open Source developers took a portion of the file sharing suite an implemented it under a product called SaMBa. Solaris 10 ships with an installation of SaMBa to allow for rudimentary SMB and CIFS cfile sharing. Simple SaMBa Enabling under Solaris 10 was noted in a previous article. Signing SaMBa Packets Under Solaris 10 was noted in a later article. This article discusses using a more secure NTLMv2 Authentication Protocol, rather than the old LAN Manager hash.
Problem
Authentication is the first step in deciding whether access will be given to a network resource for a user. The original LAN Manager software uses an easy to crack hash for authentication, which can be easily determined over a network using a "sniffer", while NTLMv2 is more difficult to crack. This level of authentication should be disabled, to reduce the hacking vectors against the SaMBa server.
Solution:
The process of disabling LM (LAN Manager) Authentication to always force NTLMv2 (Windows NT LAN Manager Version 2) Authentication in SaMBa is as described below.
sun1234/root# cp -p /etc/sfw/smb.conf /etc/sfw/smb.conf.20170814
sun1234/root# ls -alid /etc/sfw/smb*
 956139 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf
 959534 -r--r--r-- 1 root root 10453 Sep  2 2014 /etc/sfw/smb.conf.20170815
 956138 -rw-r--r-- 1 root root 10086 Apr 28 2011 /etc/sfw/smb.conf.ad
 956137 -rw-r--r-- 1 root root 10089 Feb 19 2013 /etc/sfw/smb.conf.ges
Correct in the "Global" section and review the smb.conf file
sun1234/root# more /etc/sfw/smb.conf
...
[global]
...
# Disable LANMAN Authentication In Samba
# Add the following line in the smb.conf's global section:
   lanman auth = No
Enable the changes:
sun1234/root# svcs samba
STATE          STIME    FMRI
online         14:31:56 svc:/network/samba:default
sun1593/root# svcadm disable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
disabled       17:54:55 svc:/network/samba:default
sun1593/root# svcs enable svc:/network/samba:default
sun1593/root# svcs samba
STATE          STIME    FMRI
online         17:54:59 svc:/network/samba:default
Conclusions:
SaMBa can be easily secured from the Service Management facility.
Posted by at
Labels: , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)