Somewhat Samba related, I ask this question (that might be over the line and into Windows territory) but, here I go . . . Of those user on this mailing list that manage Samba installs for various clients/customers, what are your most used GPO policies you have put into place for AD management? I ask because, when you venture over into Windows world and start reading posted articles about their "best practices" for active directory deployments "these" are the minimum GPO's you should utilize. In these articles, most of the GPO's listed regard security, etc, etc. Users cannot do this or that, etc. In a different post (to this list) recently, Louis posted this: Do the same for the following services: - Function Discovery Resource Publication (FDResPub) - Network Connections (NetMan) - UPnP Device Host (UPnPHost) - Peer Name Resolution Protocol (PNRPSvc) - Peer Networking Grouping (P2PSvc) - Peer Networking Identity Manager (P2PIMSvc) Repeat the same procedure for all PCs on the network. Or* even better, configure a GPO for it*. It was that last line that got me thinking about this. These were good suggestions for workstation services settings that help Samba and workstations (W10?) work better *together*. Could we (this list) generate a list of suggested GPO's that each of us can decide to enable or disable as we think needed? I thinking the most basic GPO's but, any suggestion would be welcome? -- Thank you. Bob Wooden
On Sat, Aug 17, 2019 at 12:35 PM Robert Wooden via samba <samba at lists.samba.org> wrote:> > Somewhat Samba related, I ask this question (that might be over the line > and into Windows territory) but, here I go . . . > > Of those user on this mailing list that manage Samba installs for various > clients/customers, what are your most used GPO policies you have put into > place for AD management?I've not been running GPO for quite a long time. But the gold standard for nework security is NIST, which has many subtleties any good AD or Samba admin should be aware of. * https://pages.nist.gov/800-63-3/sp800-63b.html There are fascinating little details there about password requirements.> I ask because, when you venture over into Windows world and start reading > posted articles about their "best practices" for active directory > deployments "these" are the minimum GPO's you should utilize. In these > articles, most of the GPO's listed regard security, etc, etc. Users cannot > do this or that, etc. > > In a different post (to this list) recently, Louis posted this: > > Do the same for the following services: > - Function Discovery Resource Publication (FDResPub) > - Network Connections (NetMan) > - UPnP Device Host (UPnPHost) > - Peer Name Resolution Protocol (PNRPSvc) > - Peer Networking Grouping (P2PSvc) > - Peer Networking Identity Manager (P2PIMSvc) > > Repeat the same procedure for all PCs on the network. > Or* even better, configure a GPO for it*. > > It was that last line that got me thinking about this. > > These were good suggestions for workstation services settings that help > Samba and workstations (W10?) work better *together*. > > Could we (this list) generate a list of suggested GPO's that each of us can > decide to enable or disable as we think needed? > > I thinking the most basic GPO's but, any suggestion would be welcome? > > -- > Thank you. > > Bob Wooden > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hi Bob, all, I asked for similar in https://lists.samba.org/archive/samba/2019-July/224540.html, but got just one (private) reply to it. I believe there is some common sense what everyone should enforce (like SMB3) via GPO and some stuff where your mileage may vary. Actually not all of the items Louis mentioned (don?t know when) are clear to me, thus it might help to collect pros and cons or scenarios where you want to apply or refrain on a Wiki page. Regards, Joachim -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Robert Wooden via samba Gesendet: Saturday, 17 August 2019 18:33 An: SAMBA MailList <samba at lists.samba.org> Betreff: [Samba] Samba related question?? Somewhat Samba related, I ask this question (that might be over the line and into Windows territory) but, here I go . . . Of those user on this mailing list that manage Samba installs for various clients/customers, what are your most used GPO policies you have put into place for AD management? I ask because, when you venture over into Windows world and start reading posted articles about their "best practices" for active directory deployments "these" are the minimum GPO's you should utilize. In these articles, most of the GPO's listed regard security, etc, etc. Users cannot do this or that, etc. In a different post (to this list) recently, Louis posted this: Do the same for the following services: - Function Discovery Resource Publication (FDResPub) - Network Connections (NetMan) - UPnP Device Host (UPnPHost) - Peer Name Resolution Protocol (PNRPSvc) - Peer Networking Grouping (P2PSvc) - Peer Networking Identity Manager (P2PIMSvc) Repeat the same procedure for all PCs on the network. Or* even better, configure a GPO for it*. It was that last line that got me thinking about this. These were good suggestions for workstation services settings that help Samba and workstations (W10?) work better *together*. Could we (this list) generate a list of suggested GPO's that each of us can decide to enable or disable as we think needed? I thinking the most basic GPO's but, any suggestion would be welcome? -- Thank you. Bob Wooden -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba