What are the ramifications of hardening CIFS security settings?
Applies to
- ONTAP 9
- CIFS
Answer
- LM Compatibility Level: lm-ntlm-ntlmv2-krb, they want it to be "ntlmv2-krb"
- This will not affect existing sessions, just new sessions that attempt to connect. They must support either ntlmv2 or krb authentication.
- Is SMB Encryption Required: false, they want it to be "true"
- This will not affect existing sessions, just new sessions. They must support SMBv3. End-to-end encryption is only supported by SMB3 and above. SMB3 is not supported prior to Windows 8, Windows Server 2012, and RHEL version below 7.5.
- Client Session Security: none, they want it to be "seal"
- This will not affect existing sessions, just new sessions. This will cause AD LDAP communications to be both signed and sealed.
- Use LDAPS for AD LDAP connection: false, they want it to be "true"
- This will not affect existing sessions, just new sessions. This parameter specifies whether to use LDAPS over AD LDAP connections. When enabled, the communication between the ONTAP LDAP Client and the LDAP Server will be encrypted using LDAPS and port 636 will be used. LDAPS is a mechanism to provide secure communication by using the TLS/SSL protocols and port 636. The default setting is false.
- Note: Ensure that the correct certificates are installed for CIFS home domain and trusted domains.
- Encryption is required for DC Connections: false, they want it to be "true"
- This will not affect existing sessions, just new sessions.
- AES session key enabled for NetLogon channel: false, they want it to be "true"
- This will not affect existing sessions, just new sessions.
- Encryption Types Advertised to Kerberos: aes-256, aes-128, rc4, des, they want it to be "aes-128, aes-256"
- This will not affect existing sessions, just new sessions
Additional Information
additionalInformation_text