Skip to main content

Managing CIFS server security settings

You can customize CIFS server security settings to meet your business requirements. You can modify Kerberos security settings, determine whether to require SMB signing for incoming SMB traffic, whether to use LDAP session security, whether to enable AES encryption types for Kerberos communication, whether to require SMB encryption when accessing shares, and whether to require password complexity for local users. You can also set the minimum authentication security level.

  • How ONTAP handles SMB client authentication
    Before users can create SMB connections to access data contained on the SVM, they must be authenticated by the domain to which the CIFS server belongs. The CIFS server supports two authentication methods, Kerberos and NTLM (NTLMv1 or NTLMv2). Kerberos is the default method used to authenticate domain users.
  • Guidelines for SMB server security settings in an SVM disaster recovery configuration
    Before creating an SVM that is configured as a disaster recovery destination where the identity is not preserved (the -identity-preserve option is set to false in the SnapMirror configuration), you should know about how SMB server security settings are managed on the destination SVM.
  • Displaying information about CIFS server security settings
    You can display information about CIFS server security settings on your storage virtual machines (SVMs). You can use this information to verify that the security settings are correct.
  • Enabling or disabling required password complexity for local SMB users
    Required password complexity provides enhanced security for local SMB users on your storage virtual machines (SVMs). The required password complexity feature is enabled by default. You can disable it and reenable it at any time.
  • Modifying the CIFS server Kerberos security settings
    You can modify certain CIFS server Kerberos security settings, including the maximum allowed Kerberos clock slew time, the Kerberos ticket lifetime, and the maximum number of ticket renewal days.
  • Setting the CIFS server minimum authentication security level
    You can set the CIFS server minimum security level, also known as the LMCompatibilityLevel, on your CIFS server to meet your business security requirements for SMB access. The minimum security level is the minimum level of the security tokens that the CIFS server accepts from SMB clients.
  • Configuring strong security for Kerberos-based communication by using AES encryption
    For strongest security with Kerberos-based communication, you can enable AES-256 and AES-128 encryption on the SMB server. By default, when you create a SMB server on the SVM, AES encryption is disabled. You must enable it to take advantage of the strong security provided by Advanced Encryption Standard (AES) encryption.
  • Enabling or disabling AES encryption for Kerberos-based communication
    To take advantage of the strongest security with Kerberos-based communication, you can enable AES-256 and AES-128 encryption on the CIFS server. If you do not want the CIFS server to select the AES encryption types for Kerberos-based communication with the Active Directory (AD) KDC, you can disable AES encryption. By default, AES encryption is disabled.
  • Using SMB signing to enhance network security
    SMB signing helps to ensure that network traffic between the SMB server and the client is not compromised; it does this by preventing replay attacks. By default, ONTAP supports SMB signing when requested by the client. Optionally, the storage administrator can configure the CIFS server to require SMB signing.
  • Configuring required SMB encryption on SMB servers for data transfers over SMB
    SMB encryption for data transfers over SMB is a security enhancement that you can enable or disable on SMB servers. You can also configure the desired SMB encryption setting on a share-by-share basis through a share property setting.
  • Securing LDAP session communication
    There are two ways to enable LDAP secure sessions for queries to the AD server. You can use LDAP signing and sealing, which encrypts traffic (sealing) and protects the integrity (signing) of session traffic between the storage virtual machine (SVM) LDAP client and the LDAP server. Alternatively, you can use LDAP over TLS to encrypt all session traffic.