Networking / Beginners

SMB Message Signing

SMB message signing is actually four different settings:

  • Microsoft network client: Digitally sign communications (always) Sets the Workstation service to require message signing on outbound requests to SMB servers. We recommend you turn this setting on for all systems making outbound Windows networking requests to other systems, including all systems that are used for browsing the Web.
  • Microsoft network client: Digitally sign communications (if server agrees) Sets the Workstation service to request message signing on outbound request to SMB servers. This is the only setting of the four that is on by default.
  • Microsoft network server: Digitally sign communications (always) Sets the Server service to require message signing on inbound requests from SMB clients. We recommend you turn this setting on for all systems if possible.
  • Microsoft network server: Digitally sign communications (if client agrees) Sets the Server service to request message signing on inbound requests from SMB clients. We recommend that at a bare minimum this setting is configured on all systems acting as servers.

Turning on SMB message signing is a tricky operation. The reason is that if you set it to require signing on the Workstation service, the system will fail to connect to any Windows system in a default configuration because message signing on the Server service is not enabled by default. The reason it is not on by default is that it generates a small overheadup to about 5 percentwhich was believed to be unacceptable on many systems.

We think, however, that this setting is incredibly valuable and should be required on all systems. The reason is that SMB message signing helps thwart entire classes of man-in-the-middle attacks known as the SMB reflection attack. These have been used in the wild since at least 2000. It also breaks other types of man-in-the-middle attacks that rely on forwarding SMB messages.

On Windows XP Service Pack 2 and higher, the SMB reflection attack is broken even if SMB message signing is not enabled. However, because there are other man-in-the-middle attacks that are not mitigated this way, it is still important to configure SMB message signing on Windows XP.

[Previous] [Contents] [Next]

In this tutorial:

  1. Protecting Hosts
  2. Security Configuration Myths
  3. Myth 1: Security Guides Make Your System Secure
  4. Myth 2: If We Hide It, they Not Find It
  5. Myth 3: The More Tweaks, the Better
  6. Myth 4: Tweaks Are Necessary
  7. Myth 5: All Environments Should At Least Use <Insert Favorite Guide Here>
  8. Myth 6: "High Security" Is an End Goal for All Environments
  9. Myth 7: Start Securing Your Environment by Applying a Security Guide
  10. Myth 8: Security Tweaks Can Fix Physical Security Problems
  11. Myth 9: Security Tweaks Will Stop Worms/Viruses
  12. Myth 10: An Expert Recommended This Tweak as Defense in Depth
  13. Server Security Tweaks
  14. Software Restriction Policies
  15. Do Not Store LAN Manager Hash Value
  16. Anonymous Restrictions
  17. Security Identifiers (SIDs)
  18. Password Policies
  19. SMB Message Signing
  20. Networking LAN Manager Authentication Level
  21. TCP Hardening
  22. Restricted Groups
  23. Audit Settings
  24. Client Security Tweaks
  25. Firewalls
  26. IPsec Filters
  27. SafeDllSearchMode
  28. Local Administrator Account Control
  29. Limit Local Account Use of Blank Passwords to Console Logon Only
  30. Logon Events
  31. Allowed to Format and Eject Removable Media
  32. The Caution ListChanges You Should Not Make
  33. Crash on Audit Failure
  34. Clear Virtual Memory Page File
  35. Security Configuration Tools