diff --git a/modules/services/samba.nix b/modules/services/samba.nix
index 2cde5b9..ec106dd 100644
--- a/modules/services/samba.nix
+++ b/modules/services/samba.nix
@@ -72,6 +72,10 @@
       "server min protocol = SMB3_11"
       # Require native SMB transport encryption by default.
       "server smb encrypt = required"
+      # Do not map the executable bit to anything
+      "map archive = no"
+      "map system = no"
+      "map hidden = no"
 
       # Disable printer sharing. By default Samba shares printers configured
       # using CUPS.
@@ -94,7 +98,7 @@
             "#persistRoot" = persistRoot;
             "read only" = "no";
             "guest ok" = "no";
-            "create mask" = "0640";
+            "create mask" = "0740";
             "directory mask" = "0750";
             "force user" = "${user}";
             "force group" = "${group}";
diff --git a/modules/smb-mounts.nix b/modules/smb-mounts.nix
index d2622e2..d2957f3 100644
--- a/modules/smb-mounts.nix
+++ b/modules/smb-mounts.nix
@@ -82,6 +82,8 @@ in {
                       ++ [
                         "uid=${toString uid}"
                         "gid=${toString gid}"
+                        "file_mode=0600"
+                        "dir_mode=0700"
                         "credentials=${cfg.credentials}"
                       ]
                       ++ (optional (!cfg.automatic) "noauto");