[Samba] Prevent AD Enmeration
Kees van Vloten
keesvanvloten at gmail.com
Wed Jul 10 11:44:08 UTC 2024
On 10-07-2024 11:41, Anantha Raghava via samba wrote:
> Hi,
>
> Is there any setting in smb.conf that prevents the AD enumeration like
> user, group or computer enumeration? We tried to follow different
> methods recommended by Microsoft for the AD. But they don't seem to
> work. Still using apps like powershell, we can still enumerate the
> users, groups etc.
>
Not that I am aware of.
As an alternative I have setup an Openldap-proxy. It forwards queries to
AD and limits visibility of AD's LDAP. In the Openldap configuration it
is relatively simple to set acls on all kinds of operations and objects.
Of course this solution is not suitable for domain-members. In my setup
I use it for queries from services in the DMZ. The services just have a
service-account in AD that they use to authenticate for their query.
Firewall settings are in place to take care that it is not possible to
connect from the DMZ to AD-DC's directly but just to the Openldap-proxy.
- Kees.
> Best regards,
>
> Anantha Raghava
More information about the samba
mailing list