S 5.17 Samba
Description
This module examines the basic security features of Samba. Samba is an authentication, file, and print service that is available for free and allows interoperation between Microsoft Windows and the Unix world. Samba combines a number of different protocols and technologies. This includes, for example, the Server Message Block Protocol (SMB), also known by its newer name Common Internet File System (CIFS). The term "Samba server" refers to servers running Samba as an authentication, file, and print service. Such servers are generally Unix servers.
Samba consists of several components offering various functions, the most important of which are mentioned briefly in the following. The most important application in Samba is "smbd". This application provides the login, file, and print services for other SMB clients. Other applications worth mentioning include the "nmbd" application, which offers various NetBIOS name services, and the "winbindd" application.
This module examines Samba version 3. Differences between the various version sub-numbers of version 3 are pointed out explicitly when necessary. This module must be applied to every server in the information system being examined that operates Samba as a server service.
Threat scenario
The following typical threats to the IT-Grundschutz of a Samba server are assumed to exist:
Organisational Shortcomings
| T 2.9 | Poor adjustment to changes in the use of IT |
| T 2.22 | Lack of or insufficient evaluation of auditing data |
| T 2.87 | Use of insecure protocols in public networks |
| T 2.143 | Information losses relating to copying or moving data on Samba shares |
| T 2.144 | Inadequate contingency planning for a Samba server |
| T 2.145 | Inadequate backup of trivial database files under Samba |
Human Error
| T 3.9 | Improper IT system administration |
| T 3.38 | Errors in configuration and operation |
| T 3.94 | Incorrect configuration of the Samba communication protocols |
| T 3.95 | Incorrect configuration of the operating system of a Samba server |
| T 3.96 | Incorrect configuration of a Samba server |
Technical Failure
| T 4.13 | Loss of stored data |
| T 4.22 | Software vulnerabilities or errors |
| T 4.54 | Loss of protection via the encrypting file system EFS |
| T 4.72 | Inconsistent databases in the trivial database format under Samba |
Deliberate Acts
| T 5.7 | Line tapping |
| T 5.21 | Trojan horses |
| T 5.28 | Denial of services |
| T 5.71 | Loss of confidentiality of classified information |
| T 5.85 | Loss of integrity of information that should be protected |
| T 5.133 | Unauthorized use of web-based administration tools |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
All security considerations for a Samba server should be based on the safeguards contained in module S 3.101 General server. Since Samba is generally used on Unix operating systems, the safeguards listed in module S 3.102 Servers under Unix also need to be taken into consideration. The general safeguards described in these modules are described in detail and complemented in this module.
Planning and design
If the general planning phase for the use of servers is complete, subconcepts for the use of Samba must be drawn up that take into consideration all applicable general concepts and policies. The general planning approach is explained in S 2.315 Planning the use of servers. During the planning phase, important decisions need to be made regarding the basic network services (such as WINS), amongst other decisions. The safeguards listed in S 2.437 Planning the use of a Samba server should be integrated into the decision-making process when designing the network services.
Purchasing
After finishing the conceptual planning phase, the integrity and authenticity of the packages to be used for installation (source text or binary packages) must be checked (see S 4.327 Verification of the integrity and authenticity of the Samba packages and sources).
Implementation
Before installing Samba on the host server, the server operating system must be suitably configured and secured (see S 4.331 Secure configuration of the operating system of a Samba server). A host of issues must be taken into consideration during the actual installation and subsequent basic configuration, which are described in S 4.330 Secure installation of a Samba server, S 4.326 Ensuring the NTFS file properties on a Samba file server, S 4.332 Secure configuration of the access controls for a Samba server, and S 5.151 Secure configuration of the Samba Web Administration Tool. In addition, it should be ensured that Samba does not integrate any insecure external programs (see S 2.438 Secure use of external programs on a Samba server). As mentioned in S 2.437 Planning the use of a Samba server, the safeguards mentioned in S 4.333 Secure configuration of Winbind under Samba could be relevant under some circumstances. Furthermore, the safeguards mentioned in S 4.329 Secure use of communication protocols when using a Samba server must be followed.
The administrators must receive training on the secure installation and operation of Samba servers. The most important subjects to be covered by such a training measure are described in S 3.68 Training the administrators of a Samba server.
Operation
During regular operations, it must be ensured that the documentation is up-to-date. Furthermore, the aspects described in S 4.335 Secure operation of a Samba server must be considered.
Contingency Planning
Special aspects of Samba servers that need to be taken into consideration in addition to S 6.96 Contingency planning for a server are summarised in S 6.135 Regular backup of important system components of a Samba server and S 6.136 Creation of a business continuity plan for the failure of a Samba server.
The bundle of safeguards for Samba servers is presented in the following. The safeguards from the other relevant modules (such as S 6.96 Contingency planning for a server in module S 3.101 General server) are not repeated here again for reasons of clarity.
Planning and design
| S 2.437 | (A) | Planning the use of a Samba server |
| S 4.147 | (Z) | Secure use of EFS under Windows |
| S 4.326 | (A) | Ensuring the NTFS file properties on a Samba file server |
Purchasing
| S 4.327 | (C) | Verification of the integrity and authenticity of the Samba packages and sources |
Implementation
| S 2.438 | (Z) | Secure use of external programs on a Samba server |
| S 3.68 | (B) | Training the administrators of a Samba server |
| S 4.328 | (A) | Secure basic configuration of a Samba server |
| S 4.329 | (C) | Secure use of communication protocols when using a Samba server |
| S 4.330 | (B) | Secure installation of a Samba server |
| S 4.331 | (C) | Secure configuration of the operating system of a Samba server |
| S 4.332 | (A) | Secure configuration of the access controls for a Samba server |
| S 4.333 | (C) | Secure configuration of Winbind under Samba |
| S 4.334 | (Z) | SMB message signing and Samba |
| S 5.151 | (C) | Secure configuration of the Samba Web Administration Tool |
Operation
| S 4.335 | (B) | Secure operation of a Samba server |
Contingency Planning
| S 6.135 | (B) | Regular backup of important system components of a Samba server |
| S 6.136 | (B) | Creation of a contingency plan for the failure of a Samba server |