Tag: Samba

Categories
Knowledge Support Support exacqVision Server Categories Products

SMB server signing and encryption for Archiving

exacqVision’s default method for archiving recorded data uses the SMB protocol. Using an exacqVision S-Series storage system makes configuring archiving simple. Users may also archive to SMB shares configured on their own third-party systems, but installing and configuring Samba or SMB Shares on non-Exacq built systems is outside the scope of Exacq Support.

There have been several iterations of SMB since the protocol was first introduced. Devices wishing to communicate via SMB must first perform a negotiation to determine which version they will use. The version and dialect of SMB chosen will determine what features are used.

<br><br>

Versions

Discussing versions quickly becomes a tangled web, which we will try to unravel here.

When capturing the network traffic between two devices, using applications such as Wireshark, the protocol will be listed as SMB2, which supports many dialects including 2.1, 3.0, 3.1, which can cause some confusion as many people will refer dialects as versions. We will be using the term dialect for these here.

Introduced in 2015, dialect 3.1.1 is the latest release of SMB at the moment. While SMB is the protocol used, SMB is implemented on Linux systems using an application named Samba. Samba provides support for SMB as well as other protocols, thus it has it’s own version numbering separate from SMB. Samba has supported SMB dialect 3.1.1 since Samba 4.3.

How to check the version of Samba installed on your S-series or other Linux system:

  1. Open a Terminal window, by pressing CTRL+ALT+T
  2. Type samba --version, and press Enter.

<br><br>

Server Signing

Server signing is a security method used by SMB. When signing is enabled, every SMB message includes a signature key and a hash of the entire message is included in the message header.

How does signing help protect data? In addition to verifying the identities of the sending and receiving devices, the nature of hashing means that if an attacker changes the message between the NVR and the archive share, the hash will no longer match.

<br><br>

Encryption

SMB version 2.0 provides encryption, but used HMAC-SHA256 encryption. SMB 3.0 updated the encryption used to AES-CMAC and AES-CCM. SMB 3.1.1 then updated to support AES-128-GCM and AES-128-CCM as well as other security enhancements.

SMB DialectEncryption Method
2.0HMAC-SHA256
3.0AES-CMAC and AES-CCM
3.1.1AES-128-GCM and AES-128-CCM

<br><br>

Manual Enforcement

As mentioned above, when two devices attempt to communicate using SMB they first negotiate the connection to determine the version and dialect they will use.

The client first advertises to the server which versions and dialects it supports. The server replies with the highest version and dialect it supports so they can agree. In the case of exacqVision’s Archiving, the client is the recording NVR system and the server is the S-Series system.

IMPORTANT: Because the protocol automatically selects the highest version both devices support, and because SMB signing and encryption are mature technologies, there is usually no need to manually configure settings. It is recommended only in situations where specific network requirements must be enforced to function properly.

<br>

To manually configure SMB:

  1. On the S-Series server, open a Terminal window by pressing CTRL+ALT+T
  2. Use sudo permissions to edit /etc/samba/smb.conf
  3. Locate the [global] settings section.
  4. Beneath the [global] tag, add the following lines:
    server signing = mandatory
    server min protocol = SMB3_11
    server max protocol = SMB3_11
  5. Save your changes, then exit the file.
  6. Restart Samba by entering
    sudo /etc/init.d/samba restart

The entries given for Step 4 above enforce server signing as well as SMB dialect 3.1.1. Attempts to connect with anything else would fail. A list of possible options for these three entries is given below.

server signing = [default, auto, mandatory, disabled]

server min protocol = [SMB2, SMB2_02, SMB2_10, SMB3, SMB3_00, SMB3_02, SMB3_11]

server max protocol = [SMB2, SMB2_02, SMB2_10, SMB3, SMB3_00, SMB3_02, SMB3_11]

Note: ‘server min protocol’ should be the same or lower than ‘server max protocol’. If these are different values the client and server must support a dialect in between these values. If these are the same value, they must support that specific dialect.

IMPORTANT: Without editing the configuration at all, the default behavior when these fields are excluded from the smb.conf file are the same as entering the following:
server signing = auto
server min protocol = SMB2_02
server max protocol = SMB3

<br>

Categories
Knowledge Support Documentation Support exacqVision Server Products

Auto Export to a Network Share from Linux-based Exacq Server

To configure auto export from a Linux-based Exacq Server to a network share, complete the following steps: (Windows procedure here)<br><br>

NOTE: For Linux-based systems, this procedure is available in exacqVision Server/Client version 6.6 and later.<br><br>

  1. On the Archiving page in exacqVision Client, add a new archiving target with appropriate credentials and verify that it successfully connects. Do NOT configure an archiving task for this target.
  2. On the Auto Export page in exacqVision Client, click the Refresh Status button once to ensure that the configured target will be presented as an available auto export location.
  3. When you configure an Auto Export profile (or click the Auto Export Now! button), your network target will be available in the Export Path or Partition drop-down list.<br><br>

To remove the network target, complete the following steps:

  1. On the Archiving page in exacqVision Client, delete the archive target.
  2. On the Auto Export page in exacqVision Client, click the Refresh Status button once. The target will no longer be available as an Auto Export location.

<br>

Categories
Knowledge Support Documentation Support exacqVision Server Products

Auto Export to Windows Network Share from Windows-based Exacq Server

On a Windows system, exacqVision Server runs as a service. This is desirable because the service starts recording video without user interaction when the system is started. However, this creates an issue with the management of credentials for access to network storage, as the exacqVision Server does not run from a normal user account that requires credentials, but runs from the System account.

If you would like to use the Auto Export feature to export video to a network share in Windows, please follow the steps below. (Linux instructions here):

  1. On the Exacq NVR, log into the Windows operating system as an admin user.<br><br>
  2. Download PsTools and extract PsExec.exe from the zip file.<br><br>
  3. From the Start menu, select All Programs and then Accessories. Right-click on Command Prompt and select Run as Administrator.<br><br>
  4. Change the directory to the location where you extracted PSExec.exe.<br><br>
  5. At the prompt enter: psexec -i -s cmd.exe
    If necessary, agree to the SysInternals license agreement.<br><br>
  6. In the new command window, type
    net use z: \\192.168.1.23\SHARE /persistent:yes
    The mapped drive letter (z: in this example) and the network share location (192.168.1.23\SHARE) can vary as desired your installation. Replace SHARE with your own directory path.<br><br>
    • If the above should fail, you may need to provide credentials to connect to this share directory, these may be added to the command, like so:
      net use z: \\192.168.1.23\SHARE /persistent:yes /user:"USERNAME" "PASSWORD"
    • Additionally, in some environments you may need to provide the domain name:
      net use z: \\192.168.1.23\SHARE /persistent:yes /user:"DOMAIN\USERNAME" "PASSWORD"
      or in the case of a local user account:
      net use z: \\192.168.1.23\SHARE /persistent:yes /user:"local\USERNAME" "PASSWORD"<br><br>
  7. If credentials are required to access this network share, you should be prompted. Enter the username and password.
  8. Once the command completes successfully, close both command prompt windows.
  9. In exacqVision Client, open the Auto Export page under Config. Click Refresh Status to display the newly configured drive in the Export Path drop-down list.<br><br>

The network share mapped to the Z:\ drive is now available for use in an export profile for event-driven exports or for user-initiated Auto Export.

If you desire to remove this share from the machine in the future, use CMD run as Administrator to run PsTools again:
psexec -i -s cmd.exe

At the new prompt, enter:
net use DRIVE: /delete
where DRIVE is replaced with the letter of the mapped drive to remove.<br>