Quantum
How to lock down SMB1 access in NAS 1.4.0.1

 

 

How to lock down SMB1 access in NAS 1.4.0.1

 

Caution:  This will disallow any OS that only can connect via SMB1 from having future access.

 


You need to specify the following options:

 

M660:cx-node1> reg set cifs.config.global.client_max_protocol = SMB3

Registry key 'cifs.config.global.client_max_protocol' set to 'SMB3'.

 

M660:cx-node1> reg set cifs.config.global.client_min_protocol = SMB2

Registry key 'cifs.config.global.client_min_protocol' set to 'SMB2'.

 

M660:cx-node1> reg set cifs.config.global.server_min_protocol = SMB2

Registry key 'cifs.config.global.server_min_protocol' set to 'SMB2'.

 

You need to do a 'share change' to apply the setting to the smb.conf:

 

M660:cx-node1> share change smb global log level = 1

M660:cx-node1> share change smb global log level = 0

 

 

 

Verity the smb.conf setting have taken effect with sysparm:

 

[root@cx-node1 ~]# testparm -a -v | grep protocol

Load smb config files from /etc/samba/smb.conf

rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)

Processing section "[support]"

Processing section "[upgrade]"

Loaded services file OK.

'winbind separator = +' might cause problems with group membership.

 

Server role: ROLE_DOMAIN_MEMBER

 

Press enter to see a dump of your service definitions

 

        server max protocol = SMB3

        server min protocol = SMB2

        client max protocol = SMB3

        client min protocol = SMB2

        client ipc max protocol = default

        client ipc min protocol = default

 

 

 

To revert back to accepting SMB1 connections, do the following:

 

M660:cx-node1> reg show cifs.config.global

cifs.config.global.client_max_protocol = 'SMB3'

cifs.config.global.client_min_protocol = 'SMB2'

cifs.config.global.log_level = '0'

cifs.config.global.server_min_protocol = 'SMB2'

 

M660:cx-node1> reg removekey cifs.config.global.client_max_protocol

Registry key 'cifs.config.global.client_max_protocol' removed.

 

M660:cx-node1> reg removekey cifs.config.global.client_min_protocol

Registry key 'cifs.config.global.client_min_protocol' removed.

 

M660:cx-node1> reg removekey cifs.config.global.server_min_protocol

Registry key 'cifs.config.global.server_min_protocol' removed.

 

M660:cx-node1> share change smb global log level = 1

Share global successfully changed

 

M660:cx-node1> share change smb global log level = 0

Share global successfully changed

 

 


This page was generated by the BrainKeeper Enterprise Wiki, © 2018