[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1645
  • Last Modified:

CIFS Server

Dear Experts,

We recently had a penetration test in our company, from the reports that they have sent us they have mentioned few issues about CIFS Server for example CIFS Server Discloses operating system version and CIFS Server Allows Username Enumeration via RID Cycling. They talking about disabling the CIFS Server? I am not very familiar with what exactly CIFS Server is doing and I am worried that if we disable CIFS we might be having lots of problem with different application being used in our company. Could you please give me some opinion about disabling or not disabling the CIFS?

Thanks
0
londonbjk
Asked:
londonbjk
  • 4
  • 4
  • 2
  • +1
2 Solutions
 
Kerem ERSOYPresidentCommented:
Hi,

What they mean is you have an SMB server. This is also called a CIFS server. There are some tools that could reveal usernames over the AD using a RID Cycling.. Here's an article about RID Cycling and tools:

http://etutorials.org/Networking/network+security+assessment/Chapter+9.+Assessing+Windows+Networking+Services/9.6+The+CIFS+Service/

The article also mentions some rules to disable this behaviour.

This is being said, whether to shutdown the server depends on what use does it have for you. If this is a critical server for your operations you'd better tighten security over the server and keep tit. If it is optional you might want to shut it down. Wlill you tell me what use does this server have for you.


Cheers,
K.
0
 
londonbjkAuthor Commented:
Hi Kerem,

It shows that CIFS Server is enabled on all of our XP clients and Server 2003, on the client I cannot see any CIFS service how can I check that CIFS service on a windows XP?

Thanks
0
 
raysonleeCommented:
CIFS is the file server service in Linux environment. I think it's talking about the default user share directory in Windows. You can disable them without any problem.
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
Kerem ERSOYPresidentCommented:
CIFS is not a service. It  has some open ports which enables Microsoft Networking to operate.. Namely UDP 139 and TCP 445. As far as I understand your clients don't use sharing data between them so you can easily disable networking through their built in personal firewalls.

Wharn it comes to server you need thee ports if your clients log on to a domain etc. But you can not allow anonymous shares and allow required people to each share.

The article that I've sent the link above also mentions some tools to check these vulnerabilities. Download and check your network after you've closed all ports to see if the information still available through them.

Cheers,
K.
0
 
Kerem ERSOYPresidentCommented:
I mean CIFS is a service but not in the sense that you understand. I guess by service you've meant Windows Service. It is a network based service :)

0
 
Kerem ERSOYPresidentCommented:
What is the use of your Windows 2003 server? Does it act as a Domain Controller ? Do you have shares on it where people share data? Do you need File and Printer Sharing through XP clients?
0
 
londonbjkAuthor Commented:
Hi Kerem,

You mentioned about "I think it's talking about the default user share directory in Windows. You can disable them without any problem. " How do I disable this? Three of the Servers are domain controllers, an Exchange and File Servers and yes each Server has got applications and files that clients access. It looks like we can leave it for the Servers running and maybe we can just disable it for the clients if you could tell me how?

Thanks
0
 
londonbjkAuthor Commented:

Hi Kerem,

If I untick the "File and Printer Sharing for Microsoft Networks" on the clients NIC card would that disable the CIFS on the Clients?

Thanks
0
 
scrabyCommented:
you said penetration test. is this from the public side?  if so then do you have a firewall (hardware / software) setup?
0
 
londonbjkAuthor Commented:
No this was an Internal penetration test.
0
 
raysonleeCommented:
Go to the control panel, Adminsitrative Tools, Services.
Disable the Server service. Disabling this service removes the ability to share folders on your computer. No user will be able to connect to any drive or folder on your computer. However, you can still access shared folders on other computers (and server). When you disable the Server service, under Startup, be sure to click Manual or Disabled or else the service will start the next time the computer is restarted.
0
 
scrabyCommented:
you may want to check out question id ID: 27402993.  a software vendor recommended they turn off smb 2.0 on their server which has caused some problems.  i'm not very knowledgable on cifs but unless you are dealing with a large corporation where you don't know everyone that is working on the workstations and you feel strongly as though having this condition present is going to jeopardize your security then go forward with the recommendation, otherwise understand that it would take someone very knowledgable to discover and exploit this vulnerability.  you have to judge your position and your company's position on requried security before you get too crazy trying to lock everything down as there is always a flaw somewhere.  don't turn a blind eye but draw the line somewhere as to how much is enough.  just some advice to be taken with a grain of salt
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now