[Samba] FWIW -- my current (low security) settings
Linda W
samba at tlinx.org
Fri Feb 1 20:21:45 MST 2013
This is on a private internal net optimized for speed, not security (it
isn't exposed to the 'net', generally speaking, or the public)...
So most security is turned off. Excuse typos -- this was from a screen
reader...
I turn off sign/seal/encrypt because all that is overhead on a 20Gb
network that windows
can't begin to keep up with.
I'm luck when windows uses 20% of the speed at this point...
Accounts: Administrator account status: Enabled
Accounts: Guest account status Enabled
Accounts: Limit local account use of blank passwords to console logon
only Enabled
Accounts: Rename administrator account root
Accounts: Rename guest account Guest
Audit: Audit the access of global system objects Disabled
Audit: Audit the use of Backup and Restore privilege Disabled Audit:
Force audit policy subcategory settings (Windows Vista or later) to
override audit policy category setti... Not Defined
Audit: Shut down system immediately if unable to log security audits
Disabled
DCOM: Machine Access Restrictions in Security Descriptor Definition
Language (SDDL) syntax Not Defined
DCOM: Machine Launch Restrictions in Security Descriptor Definition
Language (SDDL) syntax Not Defined
Devices: Allow undock without having to log on Enabled
Devices: Allowed to format and eject removable media Not Defined
Devices: Prevent users from installing printer drivers Disabled
Devices: Restrict CD-ROM access to locally logged-on user only Not Defined
Devices: Restrict floppy access to locally logged-on user only Not Defined p
Domain controller: Allow server operators to schedule tasks Enabled
Domain controller: LDAP server signing requirements Not Defined
Domain controller: Refuse machine account password changes Enabled
Domain member: Digitally encrypt or sign secure channel data (always)
Disable:
Message text for users attempting to log on Interactive logon: Message
title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case domain
controller is not available) 10 logons
Interactive logon: Prompt user to change password before expiration 5 days
Interactive logon: Require Domain Controller authentication to unlock
workstation Disabled
Interactive logon: Require small card Disabled
Interactive logon: Small card removal behavior No Action
Microsoft network client: Digitally sign communications (always) Disabled
Microsoft network client: Digitally sign communications (if server
agrees) Disabled
Microsoft network client: Send unencrypted password to third-party SMB
servers Disabled
Microsoft network server: Amount of idle time required before suspending
session 9999 minutes
Microsoft network server: Digitally sign communications (always) Disabled
Microsoft network server: Digitally sign communications (if client
agrees) Disabled
Microsoft network server: Disconnect clients when logon hours expire
Disabled
Microsoft network server: Server SPN target name validation level Not
Defined
Network access: Allow anonymous SID/Name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and
shares Disabled
Network access: Do not allow storage of passwords and credentials for
network authentication Disabled
Network access: Let Everyone permissions apply to anonymous users
Disabled Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registiy paths
System\CurrentControlSet\Control\ProductOptions,System\...
Network access: Remotely accessible registiy paths and sub-paths
System\CurrentControlSet\Control\Piint\Printers,System\Cu...
Network access: Restrict anonymous access to Named Pipes and Shares Disabled
Network access: Shares that can be accessed anonymously Not Defined
Network access: Sharing and security model for local accounts Classic -
local users authenticate as themselves
Network security: AJlow Local System to use computer identity for NTLM
Disabled
Network security: AJlow LocalSystem NULL session fallback Disabled
Network Security: AJlow PKU2U authentication requests to this computer
to use online identities Not Defined
Network security: Configure encryption types allowed for Kerberos Not
Defined
Network security: Do not store LAN Manager hash value on next password
change Enabled
Network security: Force logoff when logon hours expire Disabled
Network security: LAN Manager authentication level Send LM & NTLM - use
NTLMv2 session security if negotiated
Network security: LDAP client signing requirements Negotiate signing
Network security: Minimum session security for NTLM SSP based (including
secure RPC) clients No minimum
Network security: Minimum session security for NTLM SSP based (including
secure RPC) servers No minimum
Network security: Restrict NTLM: Add remote server exceptions for NTLM
authentication Not Defined
Network security: Restrict NTLM: Add server exceptions in this domain
Not Defined
Network security: Restrict NTLM: Audit Incoming NTLM Traffic Not Defined
Network security: Restrict NTLM: Audit NTLM authentication in this
domain Not Defined
Network security: Restrict NTLM: Incoming NTLM traffic Not Defined
Network security: Restrict NTLM: NTLM authentication in this domain Not
Defined
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Not Defined
Recoveiy console: AJlow automatic administrative logon Disabled
Recovery console: AJlow floppy copy and access to all drives and all
folders Disabled
Shutdown: AJlow system to be shut down without having to log on Enabled
Shutdown: Clear virtual memory pagefile Disabled
System cryptography: Force strong key protection for user keys stored on
the computer
User input is not required when new keys are stored and used =
System cryptography: Use FIPS compliant algorithms for encryption,
hashing, and signing Disabled
System objects: Require case insensitivity for non-Windows subsystems
Enabled
System objects: Strengthen default permissions of internal system
objects (e.g. Symbolic Links) Enabled
System settings: Optional subsystems Posix
System settings: Use Certificate Rules on Windows Executables for
Software Restriction Policies Disabled
User Account Control: Admin Approval Mode for the Built-in Administrator
account Disabled
User Account Control: AJlow UlAccess applications to prompt for
elevation without using the secure desktop Enabled
User Account Control: Behavior of the elevation prompt for
administrators in Admin Approval Mode Elevate without prompting
User Account Control: Behavior of the elevation prompt for standard
useis Prompt for credentials
User Account Control: Detect application installations and prompt for
elevation Enabled
User Account Control: Only elevate executables that are signed and
validated Disabled
User Account Control: Only elevate UlAccess applications that are
installed in secure locations Disabled
User Account Control: Run all administrators in Admin Approval Mode Disabled
User Account Control: Switch to the secure desktop when prompting for
elevation Disabled
User Account Control: Viilualize file and registiy write failures to
per-user locations Disabled
More information about the samba
mailing list