Edouard Guigné
2020-Dec-03 16:47 UTC
[Samba] Nessus - SMB Use Host SID to Enumerate Local Users Without Credentials
Hello, I tested my samba share with nessus, and I found : "Using the host security identifier (SID), Nessus was able to enumerate local users on the remote Windows system, without credentials." My samba version is 4.10.16 The samba server is configured as domain member (not AD), in order to serve only files. Is there a way to improve that security point ? result of testparm : # Global parameters [global] ??????? client min protocol = SMB2 ??????? client signing = required ??????? disable spoolss = Yes ??????? domain master = No ??????? kerberos method = secrets and keytab ??????? load printers = No ??????? local master = No ??????? log file = /var/log/samba/%m.log ??????? preferred master = No ??????? printcap name = /dev/null ??????? realm = XXXX.XXXX.XX ??????? security = ADS ??????? server min protocol = SMB2_02 ??????? server signing = required ??????? winbind nss info = rfc2307 ??????? winbind use default domain = Yes ??????? workgroup = XXXX ??????? idmap config ipgad : unix_primary_group = yes ??????? idmap config ipgad : unix_nss_info = yes ??????? idmap config ipgad : range = 10000 - 14999 ??????? idmap config ipgad : schema_mode = rfc2307 ??????? idmap config ipgad : backend = ad ??????? idmap config * : range = 15000-99999 ??????? idmap config * : backend = tdb ??????? cups options = raw ??????? hosts allow = 127. 10.9.x. ??????? hosts deny = 10.9.x. ??????? map acl inherit = Yes ??????? use sendfile = Yes ??????? vfs objects = acl_xattr [groups] ??????? comment = mysmbserver ??????? path = /var/datashared ??????? read only = No ??????? valid users = "@IPGAD\utilisateurs du domaine" ??????? vfs objects = acl_xattr streams_xattr shadow_copy2 ??????? shadow:format = daily_%Y.%m.%d-%H.%M.%S ??????? shadow:localtime = yes ??????? shadow:sort = desc ??????? shadow:basedir = /var/datashared ??????? shadow:snapdir = /data/datashared/snapshots [homes] ??????? browseable = No ??????? comment = Home Directories ??????? create mask = 0700 ??????? directory mask = 0700 ??????? hide files = /~*.tmp/profile/desktop.ini/~$*/ ??????? path = /home ??????? read only = No ??????? valid users = %S [printers] ??????? browseable = No ??????? comment = All Printers ??????? create mask = 0600 ??????? path = /var/tmp ??????? printable = Yes [print$] ??????? comment = Printer Drivers ??????? create mask = 0664 ??????? directory mask = 0775 ??????? path = /var/lib/samba/drivers ??????? write list = root Best regards, Ed
Andrew Bartlett
2020-Dec-03 17:35 UTC
[Samba] Nessus - SMB Use Host SID to Enumerate Local Users Without Credentials
On Thu, 2020-12-03 at 13:47 -0300, Edouard Guign? via samba wrote:> Hello, > > > > I tested my samba share with nessus, and I found : > > "Using the host security identifier (SID), Nessus was able to > enumerate > > local users on the remote Windows system, without credentials." > > > > My samba version is 4.10.16 > > > > The samba server is configured as domain member (not AD), in order > to > > serve only files. > > > > Is there a way to improve that security point ?See 'restrict anonymous'. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba