¶ Authentication and Access
- Enforce strong auth (NTLMv2 minimum, disable SMB1).
- Use centralized identity (AD/LDAP) with least-privilege groups.
- Restrict share permissions and avoid broad write access.
- Require SMB signing; enable SMB encryption for sensitive shares.
- Disable guest access unless explicitly required.
- Restrict anonymous enumeration settings.
- Bind Samba to required interfaces only.
- Limit firewall access to trusted client networks.
- Keep Samba patched to mitigate protocol vulnerabilities.
- Enable file access auditing for critical shares.
- Forward logs to SIEM for anomaly detection.
- Monitor failed authentication and brute-force activity.