[Samba] Nessus - SMB Use Host SID to Enumerate Local Users Without Credentials

Edouard Guigné eguigne at pasteur-cayenne.fr
Thu Dec 3 16:47:41 UTC 2020 

Hello,

I tested my samba share with nessus, and I found :
"Using the host security identifier (SID), Nessus was able to enumerate 
local users on the remote Windows system, without credentials."

My samba version is 4.10.16

The samba server is configured as domain member (not AD), in order to 
serve only files.

Is there a way to improve that security point ?

result of testparm :
# Global parameters
[global]
         client min protocol = SMB2
         client signing = required
         disable spoolss = Yes
         domain master = No
         kerberos method = secrets and keytab
         load printers = No
         local master = No
         log file = /var/log/samba/%m.log
         preferred master = No
         printcap name = /dev/null
         realm = XXXX.XXXX.XX
         security = ADS
         server min protocol = SMB2_02
         server signing = required
         winbind nss info = rfc2307
         winbind use default domain = Yes
         workgroup = XXXX
         idmap config ipgad : unix_primary_group = yes
         idmap config ipgad : unix_nss_info = yes
         idmap config ipgad : range = 10000 - 14999
         idmap config ipgad : schema_mode = rfc2307
         idmap config ipgad : backend = ad
         idmap config * : range = 15000-99999
         idmap config * : backend = tdb
         cups options = raw
         hosts allow = 127. 10.9.x.
         hosts deny = 10.9.x.
         map acl inherit = Yes
         use sendfile = Yes
         vfs objects = acl_xattr


[groups]
         comment = mysmbserver
         path = /var/datashared
         read only = No
         valid users = "@IPGAD\utilisateurs du domaine"
         vfs objects = acl_xattr streams_xattr shadow_copy2
         shadow:format = daily_%Y.%m.%d-%H.%M.%S
         shadow:localtime = yes
         shadow:sort = desc
         shadow:basedir = /var/datashared
         shadow:snapdir = /data/datashared/snapshots


[homes]
         browseable = No
         comment = Home Directories
         create mask = 0700
         directory mask = 0700
         hide files = /~*.tmp/profile/desktop.ini/~$*/
         path = /home
         read only = No
         valid users = %S


[printers]
         browseable = No
         comment = All Printers
         create mask = 0600
         path = /var/tmp
         printable = Yes


[print$]
         comment = Printer Drivers
         create mask = 0664
         directory mask = 0775
         path = /var/lib/samba/drivers
         write list = root

Best regards,

Ed

More information about the samba mailing list