samba - Feb 2015 - cifs traffic over less trusted networks

Hi all,

We might need to open port 445 for some (specific) external ip's, so 
they can make a direct connection to our samba4 AD fileservers.

I am wondering how secure that would be, as we would normally use a VPN 
connection for something like this.

So: What smb.conf options would I need to set, to make cifs traffic over 
a less-trusted network as safe as possible? (or is cifs traffic by 
nature already encrypted/secure/safe?)

Clients will be only windows7, samba4 in active directory mode, version 
4.1.16 from sernet.

Kind regards,

Mourik Jan

On Fri, Feb 13, 2015 at 01:49:01PM +0100, mourik jan heupink - merit
wrote:
> Hi all,
> 
> We might need to open port 445 for some (specific) external ip's, so
> they can make a direct connection to our samba4 AD fileservers.
> 
> I am wondering how secure that would be, as we would normally use a
> VPN connection for something like this.
> 
> So: What smb.conf options would I need to set, to make cifs traffic
> over a less-trusted network as safe as possible? (or is cifs traffic
> by nature already encrypted/secure/safe?)
Going from Windows the answer is no/no/no.

If you are using Windows clients use a VPN.

smbclient can use -e encrypted mode, and Windows
8 or above I believe can use SMB3 + encrypted
transport, but even so it's not a good idea
to open a port to the outside world.

Hi Jeremy,
> Going from Windows the answer is no/no/no.
>
> If you are using Windows clients use a VPN.
>
> smbclient can use -e encrypted mode, and Windows
> 8 or above I believe can use SMB3 + encrypted
> transport, but even so it's not a good idea
> to open a port to the outside world.
Ok, thanks for your kind feedback!

Mourik Jan