We're getting this ding on our security report:
3.2. Severe Vulnerabilities
3.2.3. SMB signing disabled (cifs-smb-signing-disabled)
Description:
This system does not allow SMB signing. SMB signing allows the recipient
of SMB packets to confirm their authenticity and helps
prevent man in the middle attacks against SMB. SMB signing can be
configured in one of three ways: disabled entirely (least secure),
enabled, and required (most secure).
Ports 139 & 445
Connection type . . . . . . : *TCP
Local address . . . . . . . : *
Local port . . . . . . . . . : 139
Remote address . . . . . . . : *
Remote port . . . . . . . . : *
Task
SK-ASC641P
Connection type . . . . . . : *TCP
Local address . . . . . . . : *
Local port . . . . . . . . . : 445
Remote address . . . . . . . : *
Remote port . . . . . . . . : *
Task
SMBSERVERMAIN
Is this where I need to look?
IBM i 7.3>Networking>TCP/IP applications, protocols, and services>IBM i
NetServer>IBM i NetServer security>Requiring clients to sign requests
http://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/rzahl/rzahlrequireclntsignreq.htm?lang=en
Any negative ramifications of following their advice and requiring clients
to sign certificates?
Requiring clients to sign requests
Communications between client and server can be made more secure by
requiring clients to sign requests.
This is done using a key derived from the client's authentication data. By
default, clients are not required to sign requests.
To require clients to sign requests, follow these steps:
Open System i® Navigator and connect to the system you want to work
with.
Expand Network > Servers.
Click TCP/IP to display a list of TCP/IP servers available.
Right-click IBM® i NetServer and select Properties.
Click the Security tab and click the Next Start button.
From the Require clients to sign requests drop down box, choose Yes,
Optional, or No.
Any setup work needed first? Like, get a server certificate?
Rob Berendt
midrange.com
