HP CIFS Server 3.0f Administrator's Guide verison A.02.03
Using a Firewall
You can use a firewall to deny access to services that you do not want exposed outside your network. This
can be a very good protection method, although the methods mentioned above can also be used in case
the firewall is not active for some reasons.
When you set up a firewall, you need to know which TCP and UDP ports to allow. The HP CIFS Server uses
the following ports:
UDP/137 - used by nmbd
UDP/138 - used by nmbd
TCP/139 - used by smbd
TCP/445 - used by smbd
The port, 445, is important as you may not be aware of it with many older firewall setups, this port was only
added to the protocol in recent years.
Using an IPC$ Share-Based Denial
You can also use a more specific deny on the IPC$ share. This allows you to offer access to other shares
while denying access to a IPC$ share from potentially untrustworthy hosts.
For example, you can configure an IPC$ share as follows:
[ipc$]
hosts allow = 192.168.115.0/24 127.0.0.1
hosts deny = 0.0.0.0/0
This configuration tells the HP CIFS Server that it cannot accept IPC$ connections from anywhere but the two
places listed: a local host and a local subnet. Because the IPC$ share is the only share that is always
accessible anonymously, this provides some level of protection against attackers that do not know a valid
user name and password for your host.
If you use this method, then clients receive an access denied reply when they try to access the IPC$
share. This means that those clients cannot browse shares and might also be unable to access some other
resources
Protecting Sensitive Information
This section describes the security methods you can use to protect sensitive information.
Encrypting Authentication
You must set the encrypt password parameter to yes in the smb.conf file to ensure that encryption is
used on passwords when they transmit across the network during authentication.
The HP CIFS Server accepts LM,NTLM and NTLMv2 encryption authentication methods based on client
settings. NTLMv2 is the most secure. To useNTLMv2 authentication, you need to configure the following client
registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\C urrentControlSet\Control\Lsa]
"lmcompatibilitylevel"=dword:00000003
The value of 0x00000003 means to sendNTLMv2responses only.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"NtlmMinClientSec"=dword:00080000
The value0x00080000 means to permit only NTLMv2 session security. If either theNtlmMinClientSec or
NtlmMinServerSec option is set to 0x00080000, the connection fails if NTLMv2 session security is not
negotiated.
You can also use the Lightweight Directory Access Protocol (LDAP) for authentication. To prevent plain text
password transfer with LDAP directories, you can configure Secure Socket Layer (SSL) on your systems and
142 Securing HP CIFS Server