diff --git a/plinth/modules/samba/__init__.py b/plinth/modules/samba/__init__.py
index cab73b3b8..2a2cd21f2 100644
--- a/plinth/modules/samba/__init__.py
+++ b/plinth/modules/samba/__init__.py
@@ -41,7 +41,7 @@ class SambaApp(app_module.App):
 
     app_id = 'samba'
 
-    _version = 2
+    _version = 3
 
     def __init__(self):
         """Create components for the app."""
@@ -99,7 +99,8 @@ class SambaApp(app_module.App):
         """Install and configure the app."""
         super().setup(old_version)
         privileged.setup()
-        self.enable()
+        if not old_version:
+            self.enable()
 
 
 class SambaBackupRestore(BackupRestore):
diff --git a/plinth/modules/samba/privileged.py b/plinth/modules/samba/privileged.py
index e91857926..3f6cb267a 100644
--- a/plinth/modules/samba/privileged.py
+++ b/plinth/modules/samba/privileged.py
@@ -39,6 +39,14 @@ CONF = r'''
    deadtime = 5
    # enable registry based shares
    registry shares = yes
+   # Make sure Samba isn't available over the Internet.
+   # https://en.wikipedia.org/wiki/localhost
+   # https://en.wikipedia.org/wiki/Private_network
+   # https://en.wikipedia.org/wiki/Link-local_address
+   # https://en.wikipedia.org/wiki/Unique_local_address
+   access control = yes
+   hosts allow = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 [::1] [fc00::]/7 [fe80::]
+   hosts deny = all
 '''  # noqa: E501