SMB Questionnaire
1. Connectivity
How can we access the SMB server that is configured by the organization?
Note: Lightbeam runs as a Kubernetes application and requires direct connectivity to the SMB server. We may have to update the firewall to allow traffic coming from Lightbeam nodes to the SMB server if direct access is restricted.
2. Server Details
Server IP?
Note: We need IP to connect to the server. DNS names will require DNS to be configured with our application which we currently do not support.
Which version of the SMB protocol is being used?
Internally Tested Versions: 3.1.1, 3.0.2
List the names of file shares to be scanned.
Specify directories to include in those shares. (Optional)
Specify directories to exclude in those shares (Optional)
Which version of Windows server is running?
Tested Versions:
Windows Server 2022
Windows Server 2019
Windows Server 2016
Windows Server 2012R2
3. Accessing Share with Read-only Permissions.
Provide a username
If the server is configured as a Domain Controller, what's the domain name?
Are there any shares this user doesn't have access to?
4. SMB Server Configuration
Is signing configured?
Is encryption configured?
Is compression configured?
Note: Compression is currently unsupported.
Are UNC hardening settings enabled on any file share?
Is NTLMv2 hardening enabled?
5. Server Cluster & DNS
Is the server clustered or does it use DFS?
Note: Not tested internally.
Do we need a DNS server to resolve server names?
Is FQDN referral support enabled on the DFS server?
Note: NetBIOS names are unsupported.
If there's no DNS server, do we need a list of FQDNs mapped to their IPs?
Are firewall rules updated to allow access on the SMB port?
Is replication enabled?
At FileShare level?
At Namespace level?
Does each server host all the data or only part of it?
Note: Disaggregated servers are not yet supported.
6. PowerShell Script Output
Please share with us the output of the following script that you can run on PowerShell
Update your domain in line 1 in the script below:
$domain = "example.com"
$dfsRoot = Get-DfsnRoot -Domain $domain
if (-not $dfsRoot.GetType().Name.Equals("Object[]")) {
$dnsRoot = @($dfsRoot)
}
Write-Output ("*" * 80)"`r`nGet-DfsnRoot"
$dfsRoot | Format-List | Out-String|% {Write-Host $_}
foreach ($dfsR in $dfsRoot) {
$path = $dfsR.Path + "\*"
$folders = Get-DfsnFolder $path
Write-Output ("*" * 80)"`r`nGet-DfsnFolder $path"
Write-Output $folders | fl
Write-Output ("*" * 80)"`r`nGet-DfsnFolderTarget $path"
foreach ($folder in $folders) {
$folderTarget = Get-DfsnFolderTarget $folder.Path
Write-Output $folderTarget | fl
}
}
Write-Output ("*" * 80)"`r`nGet-DfsReplicationGroup"
Write-Output (Get-DfsReplicationGroup | fl)
Write-Output ("*" * 8)"`r`nGet-DfsReplicatedFolder"
Write-Output (Get-DfsReplicatedFolder | fl)About LightBeam
LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.
For any questions or suggestions, please get in touch with us at: [email protected].
Last updated