S 4.329 Secure use of communication protocols when using a Samba server

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Misconfiguration of the communication protocol settings may adversely affect the availability and the security of the services made available by a Samba server. The following safeguards are therefore recommended to ensure the communication protocols used are used securely.

NetBIOS

Samba is only able to use the Network Basic Input/Output System (NetBIOS) via the Transmission Control Protocol (TCP)/Internet Protocol (IP). In order to ensure the network operates reliably, it is very important that only those protocols are used on the Windows clients that are actually needed. If Windows uses NetBEUI (NetBIOS Extended User Interface) in addition to using TCP/IP, for example, it is not clear whether the Windows network environment uses NetBEUI or TCP/IP. Nowadays, only TCP/IP is normally needed. Internetwork Packet Exchange (IPX) may still be needed if Netware systems need to access the Samba server.

Encryption

The Server Message Block (SMB) protocol does not support any form of encryption for the data packets. Implementing the safeguard described in S 4.334 SMB message signing and Samba can only protect the integrity of the data packets transmitted. If the protection requirements of the transmitted information are higher, it must be ensured that the information transmitted is encrypted by implementing additional safeguards. One good solution is to use Internet Protocol Security (IPSec).

IPSec can be used to secure all IP-based communication connections to and from a client. When used, it is possible to authenticate the communication end points, to sign the data packets, and to transmit them in encrypted form so that the integrity and confidentiality of the data can be guaranteed when there are high security requirements. The subconcept for an IPSec infrastructure should take into consideration the additional administration required and assumes a test has already been performed in a test environment to check for compatibility with the existing systems. In general, the increased computing power needed and the possible effect on the load response of the server due to the use of IPSec should not be overlooked.

Review questions: