The SMB protocol, also known as Common Internet File System (CIFS), primarily provides shared access to files on a Microsoft Windows network. It also provides authentication.
The following SMB options have security implications:
Restrict Anonymous Access to Share List - This option requires clients to authenticate using SMB before receiving a list of shares. If this option is disabled, anonymous clients can access the list of shares. This option is disabled by default.
SMB Signing Enabled - This option enables interoperability with SMB clients using the SMB signing feature. If the option is enabled, a signed packet will have the signature verified. If the option is disabled, an unsigned packet will be accepted without signature verification. This option is disabled by default.
SMB Signing Required - This option can be used when SMB signing is required. When the option is enabled, all SMB packets must be signed or they will be rejected. Clients that do not support SMB signing are unable to connect to the server. This option is off by default.
Enable Access-based Enumeration - Setting this option filters directory entries based on the credentials of the client. When the client does not have access to a file or directory, that file will be omitted from the list of entries returned to the client. This option is disabled by default.
In Domain Mode, users are defined in Microsoft Active Directory (AD). SMB clients can connect to the Oracle ZFS Storage Appliance using Kerberos or NTLM authentication.
When a user connects via a fully-qualified Oracle ZFS Storage Appliance hostname, Windows clients in the same domain or a trusted domain use Kerberos authentication; otherwise, they use NTLM authentication.
When an SMB client uses NTLM authentication to connect to the appliance, the user's credentials are forwarded to the AD Domain Controller for authentication. This is called pass-through authentication.
If Windows security policies restricting NTLM authentication are defined, Windows clients must connect to the appliance via a fully-qualified hostname. For more information, see this Microsoft Developer Network article:
After authentication, a "security context" is established for the user's SMB session. The user represented by the security context has a unique Security Descriptor (SID). The SID denotes file ownership and is used to determine file access privileges.
In Workgroup Mode, users are defined locally on the Oracle ZFS Storage Appliance. When an SMB client connects to an appliance in Workgroup Mode, that user's username and password hashes are used to authenticate the user locally.
The LAN Manager (LM) compatibility level is used to specify the protocol used for authentication when the appliance is in Workgroup Mode.
The following list shows the Oracle ZFS Storage Appliance behavior for each LM compatibility level:
Level 2: Accepts LM, NTLM and NTLMv2 authentication
Level 3: Accepts LM, NTLM and NTLMv2 authentication
Level 4: Accepts NTLM and NTLMv2 authentication
Level 5: Accepts NTLMv2 authentication only
Once the Workgroup user is successfully authenticated, a security context is established. A unique SID is created for users defined on the appliance using a combination of the machine's SID and the user's UID. All local users are defined as UNIX users.
Local groups are domain user groups that provide additional privileges to those users. Administrators can bypass file permissions to change the ownership on files. Backup Operators can bypass file access controls to backup and restore files.
To ensure that only the appropriate users have access to administrative operations, there are access restrictions on the operations performed remotely using the Microsoft Management Console (MMC).
The following list shows the users and their allowed operations:
Regular Users - List shares.
Members of the Administrators Group - List opened and closed files, disconnect user connections, and view services and event log. Members of the Administrators group can also set and modify share-level ACLs.
The Virus Scan service scans for viruses at the file-system level. When a file is accessed from any protocol, the Virus Scan service first scans the file, and both denies access and quarantines the file if a virus is found. The scan is performed by an external engine that the Oracle ZFS Storage Appliance contacts. The external engine is not included in the appliance software.
Once a file has been scanned with the latest virus definitions, it is not rescanned until it is next modified. Virus scanning is provided mainly for SMB clients who are likely to introduce viruses. NFS clients can also use virus scanning, but due to the way the NFS protocol works, a virus may not be detected as quickly as with the SMB client.
SMB does not implement a delay engine to prevent timing attacks. It relies on the Oracle Solaris cryptographic framework.
The SMB service uses version 1 of the SMB protocol, which does not support data encryption on the wire.