<div>
That's what we were afraid of... Thanks for the feedback
</div>


That's what we were afraid of... Thanks for the feedback

<div>
<div class="content wysiwyg-content">
Hi,<br />
<br />
We are currently running a NetApp filer in a PCI environment. Due to policy, we are required to scan server systems for vulnerabilites using Nessus, and must resolve all medium or higher. <br />
<br />
Unfortunately, we were presented with the following vul.: <a href="http://www.nessus.org/plugins/index.php?view=single&id=57608" rel="ugc">http://www.nessus.org/plugins/index.php?view=single&id=57608</a><br />
<br />
We have already enabled the option cifs.signing.enable, but this does not resolve the problem, as it doesn't force signing, but only permits it if required from the client. <br />
<br />
If I understand correctly, there is no way to force SMB signing on the NetApp side (Microsoft network server: Digitally sign communications (always) - on a Windows machine). That means, we can enforce signing by requiring the clients to sign - communication between filer and client should be fine against man-in-the-middle. However, this setting would have to be made on every client (via GPO or LSP on stand-alone machines...)<br />
<br />
Does anyone have an idea if we are overlooking anything? We are expected to fix all vulnerabilities... <br />
<br />
Thanks for any feedback!<br />
<br />
eS1
</div>
</div>


Hi,

We are currently running a NetApp filer in a PCI environment. Due to policy, we are required to scan server systems for vulnerabilites using Nessus, and must resolve all medium or higher. 

Unfortunately, we were presented with the following vul.: http://www.nessus.org/plugins/index.php?view=single&id=57608

We have already enabled the option cifs.signing.enable, but this does not resolve the problem, as it doesn't force signing, but only permits it if required from the client. 

If I understand correctly, there is no way to force SMB signing on the NetApp side (Microsoft network server: Digitally sign communications (always) - on a Windows machine). That means, we can enforce signing by requiring the clients to sign - communication between filer and client should be fine against man-in-the-middle. However, this setting would have to be made on every client (via GPO or LSP on stand-alone machines...)

Does anyone have an idea if we are overlooking anything? We are expected to fix all vulnerabilities... 

Thanks for any feedback!

eS1

SMB Signing on NetApp

A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness, known as the attack surface. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Other vulnerabilities include security risks, security defects and constructs in programming languages that are difficult to use properly.

Vulnerabilities

Computer data storage, often called storage or memory, is a technology consisting of computer components and recording media used to retain digital data. In addition to local storage devices like CD and DVD readers, hard drives and flash drives, solid state drives can hold enormous amounts of data in a very small device. Cloud services and other new forms of remote storage also add to the capacity of devices and their ability to access more data without building additional data storage into a device.

Storage

Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).