Why can't I access the root UNC directory of a Datto Appliance?

Topic

This article explains why, for security purposes, navigating to the root UNC directory of a Datto appliance is not possible.

Environment

• Datto ALTO
• Datto SIRIS
• Datto NAS

Description

When you attempt to navigate to the root UNC directory (e.g. \\192.168.1.3\) of a Datto appliance without a share path specified (e.g. \\192.168.1.3\myfiles) via a Samba connection, you will noticed that the the connection fails. This is intended behavior.

With the release of Datto IRIS 3.73, the process of accessing NAS shares has changed due to a security configuration being added to prevent Anonymous or "Null" sessions. A Null session is a connection that is established without a username or password and was designed with the intention to allow unauthenticated hosts to obtain browse lists from NT servers and participate in a network. Processes between hosts communicate to each other by using these Null sessions and the Interprocess Communication Share, or IPC$.

Datto appliances leverage Samba to provide file sharing services for NAS Shares to SMB/CIFS clients on a network. Datto Appliances can also be joined to a Microsoft Windows Domain and support Active Directory by using existing users and groups for authentication to these shares if configured appropriately.

Additionally, Samba has a wide array of security configurations which can quickly introduce complexity. Because of this, it is important to understand the relationship between Server and Client and how these can affect that.

Mitigating Risk

Null sessions are one of the oldest and most frequently used methods for network reconnaissance employed by hackers. A Null session connection allows you to connect to a machine without providing a username or password, and take advantage of vulnerabilities dating back to 1999 (CVE-1999-0519 and CVE-2000-1200) to enumerate user lists, share list, password policy etc.

Recently, it has been used to compromise entire systems and networks by enabling clients the ability to execute code remotely. (CVE-2017-7494 aka "SambaCry")

Organizations subject to regulation and compliance requirements are mandated to conduct frequent security assessments/audits and implement sufficient security measures to reduce risk to the systems in scope.

If a host allows Null sessions, it is expected to be flagged by most vulnerability scanners, and subsequently result in a failure to meet compliance or regulation criteria due to the risk they introduce.

This configuration does not impact the regular behavior of Shares set to Public or Private, but will impact common habits of browsing to SMB/CIFS Shares as shown below.

rootShare.

Figure 1: Browsing to the IP address of the Datto Appliance via Windows Explorer

This will fail to connect as this is attempting to establish an anonymous connection to the IPC$ share of the Datto Appliance.

Figure 2: Browsing to the full path of the NAS Share via Windows Explorer

Accessing the share as shown in Figure 2 will successfully connect you to the share specified. If it is configured to be Public, you will be logged in as the 'Guest' user automatically. If is configured to be Private, you will be prompted for your credentials. Enter the username and password of the user as defined in LDAP or the Datto appliance.

Contact Datto Technical Support if you are expecting different behavior than above.