HP CIFS Server Administrator's Guide Version A.03.01.02 (5900-1766, September 2011)
make an SMB connection to your host over a PPP interface called 'ppp0', he or she gets a TCP
connection refused reply.
Using a Firewall
You can use a firewall to deny access to services that you do not want exposed outside your
network. This can be a very good protection method, although the methods mentioned above can
also be used in case the firewall is not active for some reasons.
When you set up a firewall, you need to know which TCP and UDP ports to allow. The HP CIFS
Server uses the following ports:
UDP/137 - used by nmbd
UDP/138 - used by nmbd
TCP/139 - used by smbd
TCP/445 - used by smbd
The port, 445, is important as you may not be aware of it with many older firewall setups, this
port was only added to the protocol in recent years.
Using an IPC$ Share-Based Denial
You can also use a more specific deny on the IPC$ share. This allows you to offer access to other
shares while denying access to a IPC$ share from potentially untrustworthy hosts.
For example, you can configure an IPC$ share as follows:
[ipc$]
hosts allow = 192.168.115.0/24 127.0.0.1
hosts deny = 0.0.0.0/0
This configuration tells the HP CIFS Server that it cannot accept IPC$ connections from anywhere
but the two places listed: a local host and a local subnet. Because the IPC$ share is the only share
that is always accessible anonymously, this provides some level of protection against attackers
that do not know a valid user name and password for your host.
If you use this method, then clients receive an access denied reply when they try to access the
IPC$ share. This means that those clients cannot browse shares and might also be unable to access
some other resources
Protecting Sensitive Information
This section describes the security methods you can use to protect sensitive information.
Encrypting Authentication
You must set the encrypt password parameter to yes in the smb.conf file to ensure that
encryption is used on passwords when they transmit across the network during authentication.
The HP CIFS Server accepts LM,NTLM and NTLMv2 encryption authentication methods based on
client settings. NTLMv2 is the most secure. To useNTLMv2 authentication, you need to configure
the following client registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\C urrentControlSet\Control\Lsa]
"lmcompatibilitylevel"=dword:00000003
The value of 0x00000003 means to sendNTLMv2responses only.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"NtlmMinClientSec"=dword:00080000
The value0x00080000 means to permit only NTLMv2 session security. If either
theNtlmMinClientSec or NtlmMinServerSec option is set to 0x00080000, the connection
fails if NTLMv2 session security is not negotiated.
You can also use the Lightweight Directory Access Protocol (LDAP) for authentication. To prevent
plain text password transfer with LDAP directories, you can configure Secure Socket Layer (SSL)
134 Securing HP CIFS Server