From 35242f231285989bb7f5d3fe66fd743464b4b6a7 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 3 Jul 2017 11:28:06 +1200
Subject: [PATCH 1/2] s3-rpc_server: Disable the NETLOGON server by default

The NETLOGON server is only needed when the classic/NT4 DC is enabled
and has been the source of security issues in the past.  Therefore
reduce the attack surface.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 source3/rpc_server/rpc_config.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c
index 23c6f88eac4..01e338e1a89 100644
--- a/source3/rpc_server/rpc_config.c
+++ b/source3/rpc_server/rpc_config.c
@@ -96,6 +96,7 @@ struct rpc_daemon_defaults {
 	const char *def_type;
 } rpc_daemon_defaults[] = {
 	{ "epmd", "disabled" },
+	{ "netlogon", "disabled" },
 	/* { "spoolssd", "embedded" }, */
 	/* { "lsasd", "embedded" }, */
 	{ "fssd", "disabled" },
@@ -109,7 +110,8 @@ enum rpc_daemon_type_e rpc_daemon_type(const char *name)
 	enum rpc_daemon_type_e type;
 	const char *def;
 	int i;
-
+	enum server_role server_role = lp_server_role();
+	
 	def = "embedded";
 	for (i = 0; rpc_daemon_defaults[i].name; i++) {
 		if (strcasecmp_m(name, rpc_daemon_defaults[i].name) == 0) {
@@ -117,6 +119,16 @@ enum rpc_daemon_type_e rpc_daemon_type(const char *name)
 		}
 	}
 
+	/*
+	 * Only enable the netlogon server by default if we are a
+	 * classic/NT4 domain controller
+	 */
+	if ((strcasecmp_m(name, "netlogon") == 0) &&
+	    (server_role == ROLE_DOMAIN_BDC ||
+	     server_role == ROLE_DOMAIN_PDC)) {
+		def = "embedded";
+	}
+
 	rpcsrv_type = lp_parm_const_string(GLOBAL_SECTION_SNUM,
 					   "rpc_daemon", name, def);
 
-- 
2.11.0


From 77631c85eaa91e9e6fc0932015a95f37cfaf65bd Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 3 Jul 2017 13:10:35 +1200
Subject: [PATCH 2/2] auth: Disable SChannel authentication if we are not a DC

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 auth/gensec/schannel.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index 41f635182cf..c018ec608de 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -34,6 +34,7 @@
 #include "param/param.h"
 #include "auth/gensec/gensec_toplevel_proto.h"
 #include "lib/crypto/crypto.h"
+#include "libds/common/roles.h"
 
 struct schannel_state {
 	struct gensec_security *gensec;
@@ -723,9 +724,23 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
 	return NT_STATUS_OK;
 }
 
+/* 
+ * Reduce the attack surface by ensuring schannel is not availble when
+ * we are not a DC 
+ */
 static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
 {
-	return NT_STATUS_OK;
+	enum server_role server_role
+		= lpcfg_server_role(gensec_security->settings->lp_ctx);
+
+	switch (server_role) {
+	case ROLE_DOMAIN_BDC:
+	case ROLE_DOMAIN_PDC:
+	case ROLE_ACTIVE_DIRECTORY_DC:
+		return NT_STATUS_OK;
+	default:
+		return NT_STATUS_NOT_IMPLEMENTED;
+	}
 }
 
 static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
-- 
2.11.0