SMB Configuration hardening options


Recommended Posts

Coming from this thread: 

 

I would really appreciate a simple GUI way to configure additional SAMBA/SMB options for my server. 

 

Specifically I'm interested in changing the following options to improve the security of the server: 

server min protocol = SMB3_11
client min protocol = SMB3_11
client ipc min protocol = SMB3_11
null passwords = No
client signing = required
client protection = encrypt
server signing = mandatory
server smb encrypt = required
client ipc signing = required
ntlm auth = ntlmv2-only
null passwords = No

 

Rather than using the SMB extra configuration field which I'm finding confusing and difficult to use. I would rather these options be available under 'SMB Settings' as drop-down options (for example, 'Enable NetBIOS' is currently listed there). 

 

I think that the out of the box defaults should remain as broadly compatible as possible but it should not be a difficult process to enable high security configurations on the server. 

 

Thanks,

 

  • Like 3
Link to comment
  • 1 month later...
  • 2 months later...
2 minutes ago, L0rdRaiden said:

will this be included as the new default settings? or the settings will be visible from webui?

In order to support legacy devices using SMB2 and connecting to Unraid shares. the implementation of these security settings will have to be configurable.  Because of the desire to get 6.10 released, it is being held up for now.

 

For the time being, you can put those settings with a [global] tag in smb-extra.conf.

Link to comment
3 minutes ago, dlandon said:

In order to support legacy devices using SMB2 and connecting to Unraid shares. the implementation of these security settings will have to be configurable.  Because of the desire to get 6.10 released, it is being held up for now.

 

For the time being, you can put those settings with a [global] tag in smb-extra.conf.

 

 

right now it's like this, so it's wrong? Do you mean that I have to add [global] in my config?

like

[global]

server min protocol = SMB3_11

client ipc min protocol = SMB3_11

client signing = mandatory

server....

imagen.png.43153227743f8a021120ec8b1be6e4e7.png

 

Link to comment
35 minutes ago, L0rdRaiden said:

 

 

right now it's like this, so it's wrong? Do you mean that I have to add [global] in my config?

like

[global]

server min protocol = SMB3_11

client ipc min protocol = SMB3_11

client signing = mandatory

server....

imagen.png.43153227743f8a021120ec8b1be6e4e7.png

 

It probably works, but you should not assume [global].  Add the [global] tag ahead of your settings.

  • Thanks 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.