APP.3.4 Samba
Samba is a freely available and full-featured Active Directory Domain Controller (ADDC) that can provide authentication, file, and print services, thereby enabling interoperability between the Windows and Unix worlds...
Description
Introduction
Samba is a freely available and full-featured Active Directory Domain Controller (ADDC) that can provide authentication, file, and print services, thereby enabling interoperability between the Windows and Unix worlds. Samba brings together many different protocols and technologies. These include, for example, the Server Message Block (SMB) protocol. Servers on which Samba is operated are referred to as Samba servers. In general, these are Unix servers.
If the deployment of Samba has been correctly designed and appropriately configured, Samba interacts with a Windows client or server as if it were itself a Windows system.
Objective
The objective of this building block is to show how Samba can be used securely in institutions and how the information provided by Samba can be protected.
Scope and Modeling
The building block APP.3.4 Samba is to be applied to every Samba server in the information domain being considered.
This building block considers Samba as an authentication, file, and print service. Since Samba is typically used on Unix servers and provides services known from the Windows Server world, the security aspects of the building blocks SYS.1.1 General Server and SYS.1.3 Servers Running Linux and Unix must be taken into account.
An important focus when securing a Samba server is assigning access rights to files only restrictively. In-depth information on identity and authorization management is not contained in this building block but in ORP.4 Identity and Authorization Management.
General security requirements for printers, file servers, or directory services are not part of this building block. These are described in the building blocks SYS.4.1 Printers, Copiers, and Multifunction Devices, APP.3.3 File Servers, APP.2.1 General Directory Service, and APP.2.3 OpenLDAP.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used as the basis for describing the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block APP.3.4 Samba.
Interception of Unprotected Samba Communication Connections
If unprotected Samba communication connections are intercepted, confidential information can be captured and misused. During file transfers between Unix servers, Windows servers, and clients, protocols without extensive security features are often used, so that both authentication and usage data are accessible to third parties and could be misused by unauthorized persons. This can result in the institution’s sensitive information falling into the wrong hands.
Insecure Default Settings on Samba Servers
To demonstrate some of the capabilities of the Samba server and to provide administrators with a quick introduction, the configuration file smb.conf is created with default settings during installation of the Samba server. With the options preset in this file, the Samba server can subsequently be started. If this file is used carelessly without further adjustments, it can lead to serious security vulnerabilities. If the example file shares are not commented out, sensitive information can be viewed in these unintended shares.
Unauthorized Use or Administration of Samba
Unauthorized persons can gain access to confidential information, manipulate it, or cause disruptions by using applications or IT systems. It is thus possible for them to administer Samba without authorization. It is particularly critical if outdated and no longer updated configuration tools are used, such as the Samba Web Administration Tool (SWAT).
Faulty Administration of Samba
If administrators are insufficiently familiar with the extensive components, functions, options, and configuration settings of Samba, this can lead to far-reaching complications. Misconfigurations of DNS or the authorization management can allow unauthorized persons to access resources. Furthermore, this can lead to operational interruptions or sensitive information may be disclosed.
Data Loss in Samba
A data loss has a significant impact on IT operations. If institution-relevant information is destroyed or falsified, business processes and specialized tasks can be delayed or no longer executed at all. With Samba, it must be noted in particular that the properties of file systems differ considerably between Windows and Unix. Therefore, it is not always ensured that access rights under Windows are maintained; under some circumstances, important file properties can be lost. Information about so-called Alternate Data Streams (ADS) and DOS attributes can also be lost.
Loss of Integrity of Sensitive Information in Samba
Samba itself stores important operational data in databases in the Trivial Database (TDB) format. If these databases are not handled with sufficient performance and consistency by the operating system, they can cause problems when Samba services are used.
Requirements
The following are the specific requirements of the building block APP.3.4 Samba. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These SHOULD be filled insofar as this is meaningful and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | None |
Exactly one role SHOULD be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many people SHOULD fill these roles.
Basic Requirements
The following requirements MUST be fulfilled as a priority for this building block.
APP.3.4.A1 Planning the Deployment of a Samba Server (B)
IT Operations MUST carefully plan and regulate the introduction of a Samba server. Depending on the deployment scenario, IT Operations MUST define what tasks the Samba server is to perform in the future and in which operating mode it is to be operated. Furthermore, it MUST be determined which components of Samba and which additional components are required for this.
If the cluster solution CTDB (Cluster Trivia Data Base) is to be used, IT Operations MUST carefully design this solution. If Samba is also to provide Active Directory (AD) services for Linux and Unix systems, these services MUST also be carefully planned and tested. Furthermore, the authentication method for the AD MUST be carefully designed and implemented. The introduction and the order in which the Stackable Virtual File System (VFS) modules are executed MUST be carefully designed. The implementation SHOULD be documented.
If IPv6 is to be used under Samba, this MUST also be carefully planned. In addition, it MUST be verified in a production-close test environment that the integration works without errors.
APP.3.4.A2 Secure Basic Configuration of a Samba Server (B)
IT Operations MUST configure the Samba server securely. For this, among other things, the settings for access controls MUST be adapted. The same SHOULD also apply to settings that affect the server’s performance.
IT Operations MUST configure Samba so that connections are only accepted from secure hosts and networks. Changes to the configuration SHOULD be carefully documented so that it can be traced at any time who changed what and for what reason. After each change, it MUST be verified that the syntax of the configuration file is still correct.
Additional software modules such as SWAT MUST NOT be installed.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be met.
APP.3.4.A3 Secure Configuration of a Samba Server (S)
Databases in Trivial Database (TDB) format SHOULD NOT be stored on a partition that uses ReiserFS as its file system. If a netlogon share is configured, unauthorized users SHOULD NOT be able to modify files in this share.
The operating system of a Samba server SHOULD support Access Control Lists (ACLs) in conjunction with the file system used. In addition, it SHOULD be ensured that the file system is mounted with the appropriate parameters.
The default settings for SMB Message Signing SHOULD be retained, unless they conflict with existing security policies in the information domain.
APP.3.4.A4 Avoiding NTFS Properties on a Samba Server (S)
If a version of Samba is used that cannot map ADS in the New Technology File System (NTFS), and if file system objects are to be copied or moved across system boundaries, file system objects SHOULD NOT contain ADS with important information.
APP.3.4.A5 Secure Configuration of Access Control on a Samba Server (S)
The parameters that Samba uses by default to map DOS attributes to the Unix file system SHOULD NOT be used. Instead, Samba SHOULD be configured so that it stores DOS attributes and the inheritance status indicators (flags) in Extended Attributes. Shares SHOULD be managed exclusively via the Samba registry.
Furthermore, the effective access permissions on the Samba server’s shares SHOULD be regularly reviewed.
APP.3.4.A6 Secure Configuration of Winbind Under Samba (S)
For each domain account in a Windows domain, there SHOULD be an account in the server’s operating system with all necessary group memberships. If this is not possible, Winbind SHOULD be used to map domain accounts to Unix accounts. When using Winbind, it SHOULD be ensured that collisions between local Unix users and domain users are prevented.
Furthermore, PAM (Pluggable Authentication Modules) SHOULD be integrated.
APP.3.4.A7 Secure Configuration of DNS Under Samba (S)
If Samba is used as a DNS server, the introduction SHOULD be carefully planned and the implementation tested in advance. Since Samba supports various AD integration modes, IT Operations SHOULD configure the DNS settings according to Samba’s deployment scenario.
APP.3.4.A8 Secure Configuration of LDAP Under Samba (S)
If users are managed under Samba with LDAP, the configuration SHOULD be carefully planned and documented by IT Operations. Access authorizations to LDAP SHOULD be regulated using ACLs.
APP.3.4.A9 Secure Configuration of Kerberos Under Samba (S)
For authentication, the Heimdal Kerberos Key Distribution Center (KDC) implemented by Samba SHOULD be used. Care SHOULD be taken to ensure that the Kerberos configuration file provided by Samba is used. Only secure encryption methods SHOULD be used for Kerberos tickets.
If Kerberos authentication is used, the central time server SHOULD be installed locally on the Samba server. The NTP service SHOULD be configured so that only authorized clients can query the time.
APP.3.4.A10 Secure Use of External Programs on a Samba Server (S)
IT Operations SHOULD ensure that Samba only calls checked external programs free of malicious functions that are trustworthy.
APP.3.4.A11 DISCONTINUED (S)
This requirement has been discontinued.
APP.3.4.A12 Training of Samba Server Administrators (S)
Administrators SHOULD be trained in the specific areas of Samba they use, such as user authentication, Windows and Unix rights models, as well as NTFS ACLs and NTFS ADS.
APP.3.4.A13 Regular Backup of Important Samba Server System Components (S)
All system components that are required to restore a Samba server SHOULD be included in the institution-wide data backup concept. Account information from all backends used SHOULD also be taken into account. All TDB files SHOULD likewise be backed up. Furthermore, the Samba registry SHOULD also be backed up if it was used for shares.
APP.3.4.A14 DISCONTINUED (S)
This requirement has been discontinued.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. These proposals SHOULD be considered when there is a high protection need. The specific determination takes place in the context of an individual risk analysis.
APP.3.4.A15 Encryption of Data Packets Under Samba (H)
To ensure the security of data packets during transit, the data packets SHOULD be encrypted using the encryption methods integrated in SMB Version 3 and later.
Additional Information
Good to Know
No further information is available for the building block APP.3.4 Samba.