Bug 12775 - Change default value of restrict anonymous = 2
Summary: Change default value of restrict anonymous = 2
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.6.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-05 18:44 UTC by Denis Cardon
Modified: 2022-05-10 21:48 UTC (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Denis Cardon 2017-05-05 18:44:32 UTC 
Currently the default value of restrict anonymous is 0 even on Samba AD DC. It allows a user to list the domain users from a client without authentication using the following command and it is detected as a security issue by network security tools:
 rpcclient -U "" server_ip

It should be changed to restrict anonymous = 2, at when running in DC mode.
Comment 1 Andrew Bartlett 2019-06-12 15:16:57 UTC 
I agree, we should do this on the Samba AD DC.
Comment 2 Andreas Schneider 2021-03-31 09:22:09 UTC 
We should implement 'restrict anonyous samr' and 'restrict anonymous lsa' options and turn them on by default. It should be implemented in both samr and lsa implementation. Doesn't make sense to have this turned on in smbd either.
Comment 3 Andrew Bartlett 2021-03-31 09:23:45 UTC 
I think the is what 'restrict anonymous = 1' was meant to mean.  Good solid investigation needed.
Comment 4 Andrew Bartlett 2022-05-10 21:47:22 UTC 
Microsoft has apparently made some changes here, so we now might have a pattern to more strongly match: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925