S 4.331 Secure configuration of the operating system of a Samba server

Initiation responsibility: IT Security Officer, Administrator

Implementation responsibility: Administrator

The operating system of the Samba server should be configured in the following manner for secure operation:

ReiserFS and databases in the TDB format

Samba stores databases in several directories in the Trivial Database (TDB) format. The directories Samba uses to store these databases are described in the "TDB files (configuration data and status information)" section in safeguard S 6.135 Regular backup of important system components of a Samba server.

The files in these directories are very important for the correct operation of Samba. All databases in the TDB format should be stored on a partition that does not use ReiserFS as its file system (see T 4.72 Inconsistent databases in the trivial database format under Samba).

Mounting file systems

Some of the necessary safeguards mentioned in S 5.17 Samba assume that the file system the Samba shares are offered on supports access control lists (ACLs). The kernel of the server Samba is executed on must therefore support ACLs in connection with the file system used. In addition, it must also be ensured that the file system is mounted using appropriate parameters ("acl" parameter of the "mount" program) in order to enable support for ACLs. The same applies to the extended attributes (xattr) if these attributes are used in connection with Samba.

Packet filter

Samba uses the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports listed in the following:

• port 137/UDP (used by the nmbd process): Network Basic Input/Output System (NetBIOS) name service
• port 138/UDP (used by the nmbd process): NetBIOS datagram service
• port 139/TCP (used by the smbd process): NetBIOS session service. File and print services if the Server Message Block (SMB) is used via NetBIOS.
• port 445/TCP (used by the smbd process): File and print services if SMB is is used via TCP/IP.

In addition to the safeguards described in S 4.328 Secure basic configuration of a Samba server for the "interfaces" and "bind interfaces only" configuration parameters, all ports not listed should be blocked by a local packet filter for the interfaces and Internet Protocol (IP) addresses that should not be accessible through Samba (see S 4.238 Use of local packet filters).

Review questions:

• Are only those TCP and UDP ports actually required for operating the Samba server enabled on the local packet filter?
• Are databases in the TDB format only stored on partitions that do not use ReiserFS as the file system?
• Does the kernel of the operating system Samba is executed on support ACLs in connection with the file system used?
• Is the file system mounted with the necessary parameters?
• If required: does the kernel of the operating system Samba is executed on support xattr in connection with the file system used?