[Guide] How to harden the security configuration of SMB on an Unraid sever


03fc35ss

Recommended Posts

Hi folks, after spending a fair bit of time hardening my SMB configuration I figured I'd write a quick guide on what I consider the best settings for the security of an SMB server running on Unraid 6.9.2.

 

First, before we get into SMB settings, you may also want to consider hardening the data while it is at rest by specifying an encrypted file-system type for your array (although this isn't a share specific option). 

image.thumb.png.887ad6565bafd8731a00cb71a11125a1.png

 

For SMB, first set the SMB settings available: 

image.thumb.png.d246151ab2e49d5a5cb6808afbed2399.png

 

 

I've settled on this as the following block is what I consider to be a hardened SMB configuration for a standalone server that is not domain joined or using Kerberos authentication:

image.thumb.png.532e26fa5ee112238b0d3fc1998f2298.png

 

server min protocol = SMB3_11
client ipc min protocol = SMB3_11
client signing = mandatory
server signing = mandatory
client ipc signing = mandatory
client NTLMv2 auth = yes
smb encrypt = required
restrict anonymous = 2
null passwords = No
raw NTLMv2 auth = no

 

This configuration block is to be entered into the SMB extras configuration section of the SMB settings page. 

 

These settings will break compatibility with legacy clients, but when I say legacy I'm talking like Windows Server 2003/XP. Windows 10+ clients should work without issue as they all support (but are not necessarily configured to REQUIRE) these security features. 

 

These settings force the following security options:

  • All communications must occur via SMB v3.1.1
  • All communications force the use of signing for communications
  • NTLMv2 authentication is required, LanMan authentication is implicitly disabled. 
  • All communications must be encrypted
  • Anonymous access is disabled 
  • Null session access is disabled
  • NTLMSSP is required for all NTLMv2 authentication attempts

 

In addition, the following security settings are configured for each available share: 

image.thumb.png.e09706264bb5a34359acdac1340c4b42.png

 

Also ensure that you create a non-root user to access the shares with and that all accounts use strong passwords (Ideally 12+ complex characters). 


Finally, a couple of things to note:

  • If you read the release notes for Unraid 6.9.2, you'll see that Unraid uses samba: version 4.12.14. This is extremely important. If you, like me, google SMB configuration settings you'll eventually come across the documentation for the current version of SMBBut! Unraid is not running the latest version, and that's extremely important. The correct documentation to follow is for the 4.12 branch of Samba and the configuration options are significantly different, enough that a valid config for 4.15 will not work for 4.12. 
  • With "null passwords = No" you must enable Secure or Private security modes on each exported Unraid share - guest access won't work.

  • There is currently no way to add per-share custom smb.conf settings. So either the server gets hardened or it does not. Do not apply a [share_name] tag as it will not work.

  • It is not possible to specify `client smb3 encryption algorithms` in version 4.12.x of Samba.

  • Kerberos authentication and domain authentication may be preferable in other circumstances, in this instance, additional hardening options may be considered. 

  • If you, like me, use VLC media player on mobile devices, you may find that SMBv3 with encryption makes the host inaccessible on IOS devices. The VLC team is aware of this and there is a fix available if you have the bleeding edge/development version of the app, but not if you download the current store version (last I checked, the fix hadn't been released). Should work fine with Android/Windows VLC. 

 

If you have any suggestions for other options that I have not included here or that you think are a mistake. Please let me know and I'd be most happy to look into them and adjust. 

 

Some other quick hardening suggestions for unraid hardening in general. Disable whatever services you don't need.

In my case, that means I:

  • Disable NFS
  • Disable FTP
  • Disable 'Start APC UPS daemon'
  • If you enable Syslog, also enable NTP and configure it. 
  • Disable Docker
    • Quick note on docker, having the services enabled allows for 'ip forwarding' which could, in theory, be used to route traffic via the host to bypass firewall rules (depending on your network toplogy obviously)

 

Hope that helps someone else out there. 

Cheers!

  • Like 7
  • Thanks 6
Link to comment

Just a note: In light of the current issues regarding CVE-2021-44142 I would strongly encourage SMB users to disable the 'Enhanced macOS interoperability' setting in the SMB settings page to mitigate the issues until a patch is released: 

image.thumb.png.57c1171d4f85f29dc432cf009af7be16.png

 

As always seems to be the case in security, if you don't need a feature, disable it and reduce your attack surface. 

Link to comment
  • 2 weeks later...
  • 1 month later...
  • 1 month later...
On 2/13/2022 at 11:36 AM, 03fc35ss said:

Note that the next version of Unraid OS (currently 6.10.0-rc2) will be using samba 4.15 or higher as per these release notes: 

Once it is out of RC status, I'll update the guide with the 4.15 flags to achieve the same hardening setup as above. 

 

Unraid 6.10 is out, could you please update the hardening for samba 4.15?

 

Thanks

 

  • Upvote 6
Link to comment
  • 4 months later...
  • 1 month later...

I have scanned the server and I got this "vulnerability" in the SMB config, it's a real issue or a FP? Is there something that can be improved?

 

 

Medium

SMB Signing not required

 

Description

Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to conduct man-in-the-middle attacks against the SMB server.

Solution

Enforce message signing in the host's configuration. On Windows, this is found in the policy setting 'Microsoft network server: Digitally sign communications (always)'. On Samba, the setting is called 'server signing'. See the 'see also' links for further details.

See Also

http://www.nessus.org/u?df39b8b3
http://technet.microsoft.com/en-us/library/cc731957.aspx
http://www.nessus.org/u?74b80723
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
http://www.nessus.org/u?a3cac4ea

Edited by L0rdRaiden
Link to comment
  • 3 months later...

Hey all, sorry to revive an older post, but came across an issue with this configuration, at least on macOS. Is anyone else having this issue? From Windows & Linux, I'm able to connect to any Unraid SMB share without an issue. However, if I attempt to try to mount them or even connect to them on macOS, I get the following error message:

 

From Finder >> Go >> Connect to Server... (Command + K)

Attempt #1:

smb://Tower/data

There was a problem connecting to the server "Tower". 
URLs with the type "smb:" are not supported. 
============
Attempt #2

smb://10.0.0.X/data

There was a problem connecting to the server "10.0.0.X". 
URLs with the type "smb:" are not supported.

 

I have tried both the IP address and the hostname via DNS as well - no go. I did some digging and there does not seem to be a lot of helpful info online.

 

For reference, this is the SMB Extra configuration I am currently using:

 

server min protocol = SMB3_11
client ipc min protocol = SMB3_11
client signing = mandatory
server signing = mandatory
client ipc signing = mandatory
client NTLMv2 auth = yes
smb encrypt = required
restrict anonymous = 2
null passwords = no
raw NTLMv2 auth = no

 

I did do some troubleshooting and if I remove this 'extra' configuration from SMB, everything on macOS seems to work. I am currently running macOS Catalina 10.15.7 and since my MacBook Pro is a Mid 2012, this is the only "official" OS option I have.

 

@wgstarks Could you possibly post or provide your SMB extra configuration file for reference? I ask as your Unraid Forum bio mentions you use an all Mac network, so it must be working for you in some way, shape, or form. 😀

Link to comment

The following two lines cause SMB to stop working on iOS devices:

 

#server min protocol = SMB3_11
#client ipc min protocol = SMB3_11

 

I haven't experimented with exactly which line is causing the problem, but I guess iOS devices don't support SMBv3 yet. Tested on the latest iOS/iPadOS 16 release. All the other configuration options don't cause a problem so feel free to keep them enabled.

 

On Files app, you get an Operation Not Supported error, and the FE File Explorer app shows a "Permission denied" error and asks to sign in again.

Link to comment

After further testing, here's the config that worked for me:

 

server min protocol = SMB3_02
client ipc min protocol = SMB3_11

 

So iOS/iPadOS devices running 16.3.1 seem to only support SMB as it was developed/implemented in Windows 8.1 days. (For reference: `SMB3_02` is Windows 8.1 implementation, while `SMB3_11` is Windows 10 (not 11).)

 

The `client ipc min protocol` does not matter, so you can leave it on `SMB3_11` and it will not make a difference.

 

This config works for both the built-in SMB provider in the Files app, and for the FE File Explorer Pro app. I can confirm even the latest stable release of iOS VLC works too on this config, which suggests to me that either the app was finally fixed or that iOS devices just don't support `SMB3_11` as a whole for the server minimum protocol.

Link to comment
  • 3 months later...

Thanks used this to do the opposite and FORCE client & server signing to disabled. 

Seems to have sped up transfers on mac.

 

server min protocol = SMB3_11
client ipc min protocol = SMB3_11
client signing = disabled
server signing = disabled
smb encrypt = default
null passwords = No
raw NTLMv2 auth = no

 

Edited by dopeytree
Link to comment
  • 1 month later...
On 6/20/2023 at 6:22 PM, dopeytree said:

Thanks used this to do the opposite and FORCE client & server signing to disabled. 

Seems to have sped up transfers on mac.

 

 

The purpose of this thread is to IMPROVE the security configuration. Not reduce it.  
Enabling encryption and signing does cause a performance hit. 

 

These mitigations/hardening options are meant for networks where there are potentially untrusted clients (corporate networks) not really for home network setups. 

 

On 2/25/2023 at 12:14 AM, ericswpark said:

After further testing, here's the config that worked for me:

 

server min protocol = SMB3_02
client ipc min protocol = SMB3_11

 

So iOS/iPadOS devices running 16.3.1 seem to only support SMB as it was developed/implemented in Windows 8.1 days. (For reference: `SMB3_02` is Windows 8.1 implementation, while `SMB3_11` is Windows 10 (not 11).)

 

The `client ipc min protocol` does not matter, so you can leave it on `SMB3_11` and it will not make a difference.

 

This config works for both the built-in SMB provider in the Files app, and for the FE File Explorer Pro app. I can confirm even the latest stable release of iOS VLC works too on this config, which suggests to me that either the app was finally fixed or that iOS devices just don't support `SMB3_11` as a whole for the server minimum protocol.

 

SMB3_11 is supported with the beta/Testflight versions of VLC (Currently using 3.4.7 (533)) on iOS. It's a bug I raised with them when I initially wrote this guide. Most 3rd party apps on android and iOS do not have support for a hardened version of SMB. I believe it's an app specific issue and not an OS one. 

 

I'm in the process of building another tower. I see that Samba version is now 4.17.7 so I'll be updating the config options in line with https://www.samba.org/samba/docs/4.17/man-html/smb.conf.5.html as a reference. 

 

 

Link to comment

As expected, some of the syntax changed between versions of Samba (why would they do this for minor versions I have no idea...) 

This is the current config I believe works. I'll do more testing at a later time to confirm it's all applied correctly. 

 

server min protocol = SMB3_11
client ipc min protocol = SMB3_11
client signing = required
server signing = mandatory
client ipc signing = required
client NTLMv2 auth = yes
client protection = encrypt
client smb encrypt = required
server smb encrypt = required
smb encrypt = required
restrict anonymous = 2
null passwords = No
raw NTLMv2 auth = no

 

Edited by 03fc35ss
  • Thanks 1
Link to comment

That config seems to block access from a mac to the unraid server.. You end up with a 'do not have permission' message

 

This is a working config I use:

 

server min protocol = SMB3_02
client ipc min protocol = SMB3_11
client signing = mandatory
server signing = mandatory
client ipc signing = mandatory
client NTLMv2 auth = yes
smb encrypt = required
restrict anonymous = 2
null passwords = no
raw NTLMv2 auth = no

 

It works for windows 10 pcs & mac os ventura (13.4.1)

 

My earlier speed tests were resolved by swapping the pcie lane. so now back to full speeds.

 

Encryption on macs is handled by dedicated chip so no bottleneck anymore.

Edited by dopeytree
Link to comment

The following config is confirmed working with the test devices I have:

 

server min protocol = SMB3_11
client ipc min protocol = SMB3_11
server signing = mandatory
client NTLMv2 auth = yes
restrict anonymous = 2
null passwords = no
raw NTLMv2 auth = no
smb encrypt = required
client signing = required
client ipc signing = required
client smb encrypt = required
server smb encrypt = required

 

Note that the line in my previous config:

client protection = encrypt

 

Breaks auth attempts. So it shouldn't be used.

 

 

@dopeytree It Sounds like your issue might be a bug in MacOS Ventura. I don't have a MacOS device running Ventura to test with unfortunately. 

 

I can confirm I can access file shares with the following devices and the below config:

- MacOS Monterey 

- Windows 11

- Windows 10 

- iOS VLC (using a beta release)

- Android VLC

 

Also note that the syntax between releases of Samba has changed and 'mandatory' has become ''required" for some settings. 

Link to comment

@03fc35ss's config above doesn't work with iOS clients. I still have to downgrade the `server min protocol` to `SMB3_02`.

 

Here is my config as of now:

 

# Server hardening
# SMBv3 will break VLC iOS - use prerelease version to fix!
# SMB3_11 for server min protocol breaks some clients (iOS)
server min protocol = SMB3_02
client ipc min protocol = SMB3_11
server signing = mandatory
client NTLMv2 auth = yes
restrict anonymous = 2
null passwords = no
raw NTLMv2 auth = no
smb encrypt = required
client signing = required
client ipc signing = required
client smb encrypt = required
server smb encrypt = required

 

Edited by ericswpark
  • Like 1
Link to comment
  • 2 weeks later...

This is awesome stuff. I've been slowly setting my Unraid server up as I switched off Synology and this was a big concern of mine.

 

Question:

 

Does anyone know if this would work as a plugin? I see that there's an "Active Directory Extras" plugin that lets you modify extra AD settings. Just point and click.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.