[Samba] Nessus test issues with open shares
Joseph P Villa
jvilla at usgs.gov
Wed May 28 18:14:46 GMT 2008
There were a few things that I needed to blot out (I used #'s to blot out
the areas that I shouldn't be showing) .. but here it is!
Thanks for all of your help!
# Samba 3.0.23C Global prameters 09/26/06
# WINBIND removed
[global]
## Configured with /usr/local/samba/bin/config_samba
workgroup = GS
security = domain
encrypt passwords = yes
password server = ####
wins server = ####
allow hosts = .gs.doi.net .usgs.gov
##
## Disable Browsing Services
os level = 0
preferred master = no
domain master = no
local master = no
## Please set netbios name to GS naming standard
## example: netbios name = IGS##########
## Pre-stage (create) this computer account in Active Directory
before
## joining to domain
netbios name = igs###########
##
server string = NAME
username map = /usr/local/samba/lib/users.map
password level = 2
printcap name = /usr/local/samba/lib/printers
preload = homes printers
default service = tmp
message command = csh -c 'xedit %s;rm %s' &
NIS homedir = Yes
print command = lp -c -o nobanner -d%p %s; rm %s
## Use a separate log file for each machine
log file = /usr/local/samba/var/log.smbd
## Put a cap on the size of the log files (in Kb).
max log size = 50
map archive = no
## Performance Parameters
log level = 1
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=16834
SO_RCVBUF=16
834 SO_KEEPALIVE
read raw = yes
write raw = yes
max xmit = 65535
getwd cache = yes
## Recommended Security Setting
Restrict anonymous = yes
allow trusted domains = no
client use spnego = yes
client NTLMv2 auth = yes
client lanman auth = no
client plaintext auth = no
ldap ssl = no
## File Oplock Settings can be set globally although should be set a the
## share level depending if you are having problems with Excel or other
## applications not saving properly.
## oplocks = no
## level 2 oplocks = no
# Home Section Samba User home directories are automatically mapped
[homes]
comment = Home Directories
path = %H
read only = No
create mask = 0664
directory mask = 0775
hide dot files = No
## File Oplock Settings
oplocks = no
level 2 oplocks = no
# Printer Section used to list available UNIX printers
[printers]
comment = All Printers
path = /tmp
username = %U
create mask = 0700
guest ok = Yes
print ok = Yes
domain master = no
local master = no
## Please set netbios name to GS naming standard
## example: netbios name = IGS########
## Pre-stage (create) this computer account in Active Directory
before
## joining to domain
netbios name = igs###########
##
server string = NAME
username map = /usr/local/samba/lib/users.map
password level = 2
printcap name = /usr/local/samba/lib/printers
preload = homes printers
default service = tmp
message command = csh -c 'xedit %s;rm %s' &
NIS homedir = Yes
print command = lp -c -o nobanner -d%p %s; rm %s
## Use a separate log file for each machine
log file = /usr/local/samba/var/log.smbd
## Put a cap on the size of the log files (in Kb).
max log size = 50
map archive = no
## Performance Parameters
log level = 1
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=16834
SO_RCVBUF=16
834 SO_KEEPALIVE
read raw = yes
write raw = yes
max xmit = 65535
getwd cache = yes
# Samba 3.0.23C Global prameters 09/26/06
# WINBIND removed
[global]
## Configured with /usr/local/samba/bin/config_samba
workgroup = GS
security = domain
encrypt passwords = yes
password server = igsbccidc01 *
wins server = #####
allow hosts = .gs.doi.net .usgs.gov
##
## Disable Browsing Services
os level = 0
preferred master = no
domain master = no
local master = no
## Please set netbios name to GS naming standard
## example: netbios name = IGS########
## Pre-stage (create) this computer account in Active Directory
before
## joining to domain
netbios name = igs##########
##
server string = NAME
username map = /usr/local/samba/lib/users.map
password level = 2
printcap name = /usr/local/samba/lib/printers
# Samba 3.0.23C Global prameters 09/26/06
# WINBIND removed
[global]
## Configured with /usr/local/samba/bin/config_samba
workgroup = GS
security = domain
encrypt passwords = yes
password server = igsbccidc01 *
wins server = #####
allow hosts = .gs.doi.net .usgs.gov
##
## Disable Browsing Services
os level = 0
preferred master = no
domain master = no
# Samba 3.0.23C Global prameters 09/26/06
# WINBIND removed
[global]
## Configured with /usr/local/samba/bin/config_samba
workgroup = GS
security = domain
encrypt passwords = yes
password server = #####
wins server = #####
allow hosts = .gs.doi.net .usgs.gov
##
## Disable Browsing Services
os level = 0
preferred master = no
domain master = no
local master = no
## Please set netbios name to GS naming standard
## example: netbios name = IGSKIACIFS001
## Pre-stage (create) this computer account in Active Directory
before
## joining to domain
netbios name = igs###########
##
server string = NAME
username map = /usr/local/samba/lib/users.map
password level = 2
printcap name = /usr/local/samba/lib/printers
preload = homes printers
default service = tmp
message command = csh -c 'xedit %s;rm %s' &
NIS homedir = Yes
print command = lp -c -o nobanner -d%p %s; rm %s
## Use a separate log file for each machine
log file = /usr/local/samba/var/log.smbd
## Put a cap on the size of the log files (in Kb).
max log size = 50
map archive = no
## Performance Parameters
log level = 1
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=16834
SO_RCVBUF=16
834 SO_KEEPALIVE
read raw = yes
write raw = yes
max xmit = 65535
getwd cache = yes
## Recommended Security Setting
Restrict anonymous = yes
allow trusted domains = no
client use spnego = yes
client NTLMv2 auth = yes
client lanman auth = no
client plaintext auth = no
ldap ssl = no
## File Oplock Settings can be set globally although should be set a the
## share level depending if you are having problems with Excel or other
## applications not saving properly.
## oplocks = no
## level 2 oplocks = no
# Home Section Samba User home directories are automatically mapped
[homes]
comment = Home Directories
path = %H
read only = No
create mask = 0664
directory mask = 0775
hide dot files = No
## File Oplock Settings
oplocks = no
level 2 oplocks = no
# Printer Section used to list available UNIX printers
[printers]
comment = All Printers
path = /tmp
username = %U
create mask = 0700
guest ok = Yes
print ok = Yes
Joseph P Villa, IT Services
USGS Mounds View, MN
Jeremy Allison <jra at samba.org>
05/28/2008 12:39 PM
Please respond to
Jeremy Allison <jra at samba.org>
To
Joseph P Villa <jvilla at usgs.gov>
cc
samba at lists.samba.org
Subject
Re: [Samba] Nessus test issues with open shares
On Wed, May 28, 2008 at 12:58:12PM -0400, Joseph P Villa wrote:
> Hi,
>
> My name is Joseph Villa, I'm new to the message boards and I'm also new
to
> Samba. I just got an e-mail back on our Nessus scans.. Here are the 2
that
> are relivant..
>
> 1.) The remote host has accessible LOGS$ share.
>
> ScriptLogic creates this share to store the logs, but does not properly
> set the permissions on it. As a result, anyone
> can use it to read the remote logs.
>
> Solution: Limit access to this share to the backup account and the
Domain
> Administrator.
>
>
>
>
> 2.) Backup share can be accessed without authentication.
>
> The remote host has an accessible ARCSERVE$ share.
>
> Several versions of ARCserve store the backup agent username and
password
> in cleartext in this share.,
> An attacker may use this flaw to obtain the password file of the remote
> backup agent and use it to gain privilages on the host.
>
> Solution is to limit the access to this share to backup account and
domain
> administrator.
>
>
>
> Both of these are off of our Sun server running Solaris 10 as the OS.
I'm
> thinking both directories are being shared via Samba. Although
> there is much I don't know about this system. Has anyone out there run
> into the same issue?
Post your smb.conf so we can see what shares you have defiend.
Jeremy.
More information about the samba
mailing list