Denis Cardon
2016-08-01 18:38:33 UTC
Hi everyone,
there have already been some talk in the past about the null session
access on samba, and that keeping "restrict anonymous" parameter below
level 2 was necessary for NT4 domain support. [1]
However I was wondering if it could be changed. For instance, on a
samba4.4.5 AD with the default settings, when you run the following
command, you'll get the domain user list without any authentication
(even with netbios disabled):
rpcclient -U '%' mysamba4 -c enumdomusers
Is there still some reason to keep it that way on a samba4 AD? Is it
possible to have the default value at 2? I understand that it used to be
necessary for NT4 compatibility, and that changing the default value may
break existing installation based on classic domain, however having that
null session "vulnerability" on pentesting reports is a really a pity
(restrict anonymous=2 behavior has been the default since XP).
I know that the samba project is reluctant at changing default parameter
value, especially when it may break existing installation. I'd say that
it may be an option to add "restrict anonymous=2" by default to smb.conf
when creating a new domain, or make it the default value if "server role
= active directory domain controller" (I don't know if it is possible).
Thanks,
Denis
[1] https://lists.samba.org/archive/samba/2007-July/133938.html
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
there have already been some talk in the past about the null session
access on samba, and that keeping "restrict anonymous" parameter below
level 2 was necessary for NT4 domain support. [1]
However I was wondering if it could be changed. For instance, on a
samba4.4.5 AD with the default settings, when you run the following
command, you'll get the domain user list without any authentication
(even with netbios disabled):
rpcclient -U '%' mysamba4 -c enumdomusers
Is there still some reason to keep it that way on a samba4 AD? Is it
possible to have the default value at 2? I understand that it used to be
necessary for NT4 compatibility, and that changing the default value may
break existing installation based on classic domain, however having that
null session "vulnerability" on pentesting reports is a really a pity
(restrict anonymous=2 behavior has been the default since XP).
I know that the samba project is reluctant at changing default parameter
value, especially when it may break existing installation. I'd say that
it may be an option to add "restrict anonymous=2" by default to smb.conf
when creating a new domain, or make it the default value if "server role
= active directory domain controller" (I don't know if it is possible).
Thanks,
Denis
[1] https://lists.samba.org/archive/samba/2007-July/133938.html
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba