Table of Contents
Introduction
As part of a recent security audit, we have identified three important security features which need to be enabled on our domain. These settings are:
- Require LDAP signing
- Require LDAP channel binding
- Require SMB signing
We will begin implementing these settings one at a time, according to this timeline:
- Mar 28 - Require LDAP signing
- April 4 - Require LDAP channel binding
April 11 - May 2 - Require SMB signing, as follows:
OU/GROUPS
Date
JGI
Monday, April 10
All Operations Divisions, including IT
Tuesday, April 11
General OU
ALS, ATAP, DSD
Molecular-FoundryTuesday, April 18
EETD, Engineering, ESD, PBD
Tuesday, April 25
ESDR, HPCRD, JBEI, LSD, QSB
Tuesday, May 2
Domain Controllers
Tuesday, May 9
SMB Signing
The process to enforce SMB signing has 3 steps, which must be executed in order.
- Enable SMB signing on client systems. When the clients refresh their GPOs, they will lose all SMB connections.
- The configuration will be done by IT, but local sysadmins will need to ensure that all clients reconnect successfully.
- It may take several hours until any given client receives the new setting. To force the change to happen immediately, it will be necessary to log in to each client to reboot the system.
- As an alternative to rebooting, it is possible to manually remap network drives, as follows:
- Run the command “gpudate /force” with elevated privileges on each client
- Manually disconnect all mapped network drives. Before disconnecting any mapped drives, it is important to note the paths and drive letters for remapping.
- Manually mount the network drives.
- For manually mapped drives, check the "Reconnect at sign-in" option.
- For mapped drives handled by logon scripts, do not check the "Reconnect at sign-in" option.
- Schedule: see table above
- Enforce SMB signing on any file servers. This must be done by the file server owners. For NetApp file servers, instructions are available on https://go.lbl.gov/ldap-signing. For Windows file servers, no changes are needed.
- Schedule: This must be completed before May 9.
- Enforce SMB signing on the Domain Controllers. This will be done by IT.
- Schedule: May 9, 2023
File Server Configuration
Each setting change will have the potential to impact computers in the domain, potentially rendering them unable to authenticate to the domain, or by preventing clients of SMB file servers from being able to authenticate using the domain.
Windows Systems
- Servers and clients running supported versions of Windows and Windows Server are expected to be fully compatible with the settings.
NetApp Systems
- NetApp file servers are only compatible with these settings if they have been upgraded to OnTap v9.10.1 or higher, AND have specific settings enabled.
- Configuration details are provided below
LDAP signing
> vserver cifs security modify -vserver <vserver> -session-security-for-ad-ldap sign
LDAP binding
- Pre-reqs
- Running ONTAP 9.10.1 or newer
- import Root-CA cert of DC (same step for self-signed and commercial cert, everything is treated as self-signed)
https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_install_a_root-ca_certificate_for_AD_LDAP
-----BEGIN CERTIFICATE----- MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe 3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4 YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2 G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3 smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg== -----END CERTIFICATE----- > security certificate install -vserver <vserver> -type server-ca > vserver cifs security modify -vserver <vserver> -session-security-for-ad-ldap sign > vserver cifs security modify -vserver <vserver> -use-start-tls-for-ad-ldap true
SMB signing
Note that clients will lose CIFS share access once SMB signing is enabled. Take into account that the clients need to be rebooted or migrate the LIF to start a new TCP session and avoid access errors
See https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/CIFS_inaccessible_after_enabling_SMB_signing.
> vserver cifs security modify -vserver <vserver> -is-signing-required true
Other Third Party Systems
- Other third party systems, such as Hitachi, Synology, or Compellent file servers, may or may not be compatible with the settings. Administrators are encouraged to contact your vendor support ASAP.
Following each change, a follow-up reminder will be sent, and administrators will be asked to verify that all systems are operating as expected, and to report any issues to us immediately.