Home > Active Directory > SMB Signing is disabled or enabled ?

SMB Signing is disabled or enabled ?

In this post describes, what is the recommendations of SMB protocol  signing behavior in the  domain networks.

What SMB protocol is?

SMB is the resource sharing protocol that is supported by many Windows operating systems. The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. Using the SMB protocol, an application (or the user of an application) can access files or other resources at a remote server. This allows applications to read, create, and update files on the remote server. It can also communicate with any server program that is set up to receive an SMB client request.

What is SMB Signing features ?

SMB Signing is a feature through which communications using SMB can be digitally signed at the packet level. Digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity. This security mechanism in the SMB protocol helps avoid issues like tampering of packets and “man in the middle” attacks.

Is SMB signing disabled is risk?

Yes, Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data.

Recommended SMB Signing Configuration?

SMB signing configurations can change through group policy. Set the GPO as  following:

Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Security Options

Disable Microsoft Network Client: Digitally Sign Communications (Always).

Disable Microsoft Network Server: Digitally Sign Communications (Always).

Enable Microsoft Network Client: Digitally Sign Communications (If Server Agrees).

Enable Microsoft Network Server: Digitally Sign Communications (If Client Agrees).

Additional Information

Overview of Server Message Block signing

http://support.microsoft.com/kb/887429/en-us

The Basics of SMB Signing (covering both SMB1 and SMB2)

http://blogs.technet.com/b/josebda/archive/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2.aspx

Microsoft network server: Digitally sign communications (always)

http://technet.microsoft.com/en-us/library/jj852239.aspx

Microsoft network client: Digitally sign communications (always)

http://technet.microsoft.com/en-us/library/jj852186.aspx

Advertisements
  1. April 4, 2014 at 1:54 am

    It’s hard to come by well-informed people for this subject, but you seem like you know what you’re talking about!
    Thanks

  2. November 7, 2014 at 1:52 pm

    I read this post fully about the comparison of newest and previous technologies,
    it’s awesome article.

  3. December 25, 2014 at 11:19 am

    I do agree with all the ideas you have introduced to your post.
    They are very convincing and will definitely work. Still, the posts are very brief for beginners.
    May just you please extend them a little from next time?
    Thank you for the post.

  4. January 25, 2015 at 5:23 am

    Hello, after reading this remarkable post i am too delighted to
    share my familiarity here with colleagues.

  5. February 2, 2015 at 10:22 am

    Helpful information. Fortunate me I discovered your website by accident, and I’m stunned why this twist of fate didn’t came about
    in advance! I bookmarked it.

  6. Jeff Stevens
    February 24, 2015 at 7:34 pm

    It is not clear from this how SMB signing can be disabled. From what I’m reading, if it’s a Win7+ client and Win2008R2 server, both have the ability to sign SMB 2.0 traffic, and thus will negotiate SMB 2.0 signing on the connection and then use it. The only difference with these settings is that it is not required, but since the option is still there for both, and both prefer to sign, there’s no way to prevent signing.

    All you can do is disable the REQUIREMENT. But since both client and server will default to signing behavior, there’s no way to prevent it.

    This has also been our experience in the office. We have removed the requirement from client and server (verified in the Registry), and we can’t turn it off. Any ideas?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: