Archive

Posts Tagged ‘SMB Signing’

SMB Signing is disabled or enabled ?

March 8, 2014 6 comments

In this post describes, what is the recommendations of SMB protocol  signing behavior in the  domain networks.

What SMB protocol is?

SMB is the resource sharing protocol that is supported by many Windows operating systems. The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. Using the SMB protocol, an application (or the user of an application) can access files or other resources at a remote server. This allows applications to read, create, and update files on the remote server. It can also communicate with any server program that is set up to receive an SMB client request.

What is SMB Signing features ?

SMB Signing is a feature through which communications using SMB can be digitally signed at the packet level. Digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity. This security mechanism in the SMB protocol helps avoid issues like tampering of packets and “man in the middle” attacks.

Is SMB signing disabled is risk?

Yes, Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data.

Recommended SMB Signing Configuration?

SMB signing configurations can change through group policy. Set the GPO as  following:

Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Security Options

Disable Microsoft Network Client: Digitally Sign Communications (Always).

Disable Microsoft Network Server: Digitally Sign Communications (Always).

Enable Microsoft Network Client: Digitally Sign Communications (If Server Agrees).

Enable Microsoft Network Server: Digitally Sign Communications (If Client Agrees).

Additional Information

Overview of Server Message Block signing

http://support.microsoft.com/kb/887429/en-us

The Basics of SMB Signing (covering both SMB1 and SMB2)

http://blogs.technet.com/b/josebda/archive/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2.aspx

Microsoft network server: Digitally sign communications (always)

http://technet.microsoft.com/en-us/library/jj852239.aspx

Microsoft network client: Digitally sign communications (always)

http://technet.microsoft.com/en-us/library/jj852186.aspx

Advertisements
%d bloggers like this: