Web lists-archives.com

[Samba] Locking down RPC services for a standalone server




Hi all,

After CVE-2015-0240 (remote code execution in netlogon), I would feel
more comfortable if my server wasn't providing any services that
aren't strictly required, but I couldn't find much documentation for
rpc_server, server services, and similar directives that explains
which services are needed for various configurations.

I'm running a standalone Samba 4.6 file server on FreeBSD 11.1. No
domains, printing, DFS, or anything else like that. From my own
testing, it looks like I can disable all RPC services except for
srvsvc (Remote Server Services). Are there any others that might be
required? Am I asking for trouble with such configuration (or just
wasting my time)?

I also tried playing with the "server services" directive, but
everything kept working even if I just specified "server services =
s3fs" (no rpc), which seems odd. I'm guessing that rpc is enabled no
matter what and the rest aren't needed?

My current configuration is below. Any other suggestions for improving
security would be most welcome.

-Max

[global]

# Protocol settings
client min protocol = SMB2
host msdfs = no
restrict anonymous = 2
server min protocol = SMB2
smb encrypt = required
unix extensions = no
workgroup = EXAMPLE

# Service defaults
csc policy = disable
directory name cache size = 0
map archive = no
store dos attributes = yes
strict sync = yes

# max open files defaults to kern.maxfilesperproc, but has a hard-coded limit of
# 65536 - FILE_HANDLE_OFFSET(4096) - MAX_OPEN_PIPES(2048).
max open files = 59392

# Disable NetBIOS
disable netbios = yes
smb ports = 445

# Disable printing (keep spoolss enabled to avoid warnings on each connection)
load printers = no
printcap cache time = 0
printcap name = /dev/null

# Disable unnecessary RPC services
rpc_server:epmapper = disabled
rpc_server:winreg = disabled
rpc_server:lsarpc = disabled
rpc_server:samr = disabled
rpc_server:netlogon = disabled
rpc_server:netdfs = disabled
rpc_server:dssetup = disabled
rpc_server:wkssvc = disabled
rpc_server:spoolss = disabled
rpc_server:svcctl = disabled
rpc_server:ntsvcs = disabled
rpc_server:eventlog = disabled
rpc_server:initshutdown = disabled
rpc_server:mdssvc = disabled

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba