How To
Summary
This document suggests several options to reduce the security exposure presented by the IBM i NetServer SMB/CIFS server.
Steps
NetServer administration can be accomplished via the IBM i menu application "GO NETS". See How to manage IBM i NetServer without Navigator
1) Ensure Guest support is disabled. Use GO NETS option 10. Display Attributes . You should see:
Guest profile . . . . : *NONE
If a user profile is listed, the specified USRPRF is used for any NetServer authentication attempts which provide a user profile that does NOT exist on the IBM i.
If the "Guest profile" USRPRF is disabled or otherwise unavailable, guest access fails.
2) Review your available IBM i file shares. Use GO NETS option 11. Work with Shares .
Consider whether any read/write shares require write ability or if read would suffice. In particular, any shares pointing to the root of the IFS ('/') must have extra scrutiny. A read/write accessible share over the root of the IFS presents significant security risk and at a minimum, should be set to read-only.
For more details, see:
Once a client is past IBM i NetServer security, the IBM i OS file system performs additional security checks.
3) Increase the password level of the IBM i (QPWDLVL) from the default of 0 to 3 or 4 (available at v750). Most smb/cifs clients, such as the Client for Microsoft Networks, now default to mixed-case, complex passwords. If users are accustomed to typing in a mixed-case, complex password and do so while the IBM i QPWDLVL setting is 0, that will register as an invalid authentication attempt. Too many invalid authentication attempts will cause the profile to become disabled for NetServer (CPIB682 messages in QHST). See:
...and:
Increased password complexity not only increases security, but may also decrease the administrative burden generated by users sending invalid credentials to the IBM i NetServer and thereby requiring re-enabling (GO NETS, option 12. Work with NetServer Users).
4) Ensure the highest SMB protocol level available for your system is in use. See:
...and:
IBM i v740 adds support for SMB3 protocol which encrypts the data connection.
5) Ensure SMB Signing (Named "Message authentication" in GO NETS) is allowed or required and LANMAN is set to *NO. For example, in GO NETS option 10. Display Attributes . You should see:
Message authentication : *OPTIONAL (or *REQUIRED)
LANMAN option . . . . : *NO
Microsoft Windows security policies generally require the ability to sign requests when using SMB protocol. In that scenario, if the IBM i does not allow it (*NONE) , the connection will fail.
6) Many penetration testing tools will scan for available NetBIOS ports 137, 138, and 139 and will flag them if found. Having these available does not, in itself increase the security exposure, however the option exists to disable those ports, without entirely disabling NetServer access. See:
Finally, 3rd party security exit programs exist for IBM i which add an additional layer of security. These are installed to the QIBM_QPWFS_FILE_SERV exit point (and potentially also QIBM_QP0L_SCAN*) and monitor access to the system via the as-file and NetServer servers. They are generally capable of allowing/denying access based on specified criteria. Addition or removal of such exit programs requires restarting the QSERVER subsystem.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CLSAA2","label":"Integrated File System-\u003ENetServer"}],"ARM Case Number":"TS010327149","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
13 September 2022
UID
ibm16618239