SMB Questionnaire

1. Connectivity

• How can we access the SMB server that is configured by the organization?

  • Note: Lightbeam runs as a Kubernetes application and requires direct connectivity to the SMB server. We may have to update the firewall to allow traffic coming from Lightbeam nodes to the SMB server if direct access is restricted.

2. Server Details

• Server IP?

  • Note: We need IP to connect to the server. DNS names will require DNS to be configured with our application which we currently do not support.

• Which version of the SMB protocol is being used?

  • Internally Tested Versions: 3.1.1, 3.0.2

• List the names of file shares to be scanned.

  • Specify directories to include in those shares. (Optional)

  • Specify directories to exclude in those shares (Optional)

• Which version of Windows server is running?

  • Tested Versions:

    • Windows Server 2022

    • Windows Server 2019

    • Windows Server 2016

    • Windows Server 2012R2

3. Accessing Share with Read-only Permissions.

• Provide a username

• If the server is configured as a Domain Controller, what's the domain name?

• Are there any shares this user doesn't have access to?

4. SMB Server Configuration

• Is signing configured?

• Is encryption configured?

• Is compression configured?

  • Note: Compression is currently unsupported.

• Are UNC hardening settings enabled on any file share?

• Is NTLMv2 hardening enabled?

5. Server Cluster & DNS

• Is the server clustered or does it use DFS?

  • Note: Not tested internally.

• Do we need a DNS server to resolve server names?

• Is FQDN referral support enabled on the DFS server?

  • Note: NetBIOS names are unsupported.

• If there's no DNS server, do we need a list of FQDNs mapped to their IPs?

• Are firewall rules updated to allow access on the SMB port?

• Is replication enabled?

  • At FileShare level?

  • At Namespace level?

• Does each server host all the data or only part of it?

  • Note: Disaggregated servers are not yet supported.

6. PowerShell Script Output

Please share with us the output of the following script that you can run on PowerShell

Update your domain in line 1 in the script below:

$domain = "example.com"
$dfsRoot = Get-DfsnRoot -Domain $domain
if (-not $dfsRoot.GetType().Name.Equals("Object[]")) {
  $dnsRoot = @($dfsRoot)
}
 
Write-Output ("*" * 80)"`r`nGet-DfsnRoot"
$dfsRoot | Format-List | Out-String|% {Write-Host $_}
 
foreach ($dfsR in $dfsRoot) {
	$path = $dfsR.Path + "\*"
	$folders = Get-DfsnFolder $path
	Write-Output ("*" * 80)"`r`nGet-DfsnFolder $path"
	Write-Output $folders | fl
	Write-Output ("*" * 80)"`r`nGet-DfsnFolderTarget $path"
	foreach ($folder in $folders) {
    	$folderTarget = Get-DfsnFolderTarget $folder.Path
    	Write-Output $folderTarget | fl
	}
}
 
Write-Output ("*" * 80)"`r`nGet-DfsReplicationGroup"
Write-Output (Get-DfsReplicationGroup | fl)
 
Write-Output ("*" * 8)"`r`nGet-DfsReplicatedFolder"
Write-Output (Get-DfsReplicatedFolder | fl)

About LightBeam

LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.