samba - Jul 2024 - Prevent AD Enmeration

Hi,

Is there any setting in smb.conf that prevents the AD enumeration like 
user, group or computer enumeration? We tried to follow different 
methods recommended by Microsoft for the AD. But they don't seem to 
work. Still using apps like powershell, we can still enumerate the 
users, groups etc.

Best regards,

Anantha Raghava

On 10-07-2024 11:41, Anantha Raghava via samba wrote:
> Hi,
>
> Is there any setting in smb.conf that prevents the AD enumeration like 
> user, group or computer enumeration? We tried to follow different 
> methods recommended by Microsoft for the AD. But they don't seem to 
> work. Still using apps like powershell, we can still enumerate the 
> users, groups etc.
>
Not that I am aware of.

As an alternative I have setup an Openldap-proxy. It forwards queries to 
AD and limits visibility of AD's LDAP. In the Openldap configuration it 
is relatively simple to set acls on all kinds of operations and objects.

Of course this solution is not suitable for domain-members. In my setup 
I use it for queries from services in the DMZ. The services just have a 
service-account in AD that they use to authenticate for their query.

Firewall settings are in place to take care that it is not possible to 
connect from the DMZ to AD-DC's directly but just to the Openldap-proxy.

- Kees.
> Best regards,
>
> Anantha Raghava

10.07.2024 14:41, Anantha Raghava via samba ?????:
> Hi,
>
> Is there any setting in smb.conf that prevents the AD enumeration like 
> user, group or computer enumeration? We tried to follow different 
> methods recommended by Microsoft for the AD. But they don't seem to 
> work. Still using apps like powershell, we can still enumerate the 
> users, groups etc.
/etc/samba/smb.conf

[global]
restrict anonymous = 2

Additionally

samba-tool forest? directory_service dsheuristics 0000000

--

Anton