none
Verifying SMB Signing

    Question

  • We've turned on the Group Policy to enable SMB signing on our Network servers and Network clients. Is there an easy way to verify if the settings are taking place? I've been playing with Wireshark but haven't found a way to verity it there.

    Orange County District Attorney

    Sunday, April 17, 2016 5:11 PM

Answers

  • Hi,

    Thanks for your post.

    The easiest way to verify if the GPO settings are taking place is to check the related Registry Keys on the SMB client and SMB server. Please refer to the following tables and articles:

    Here’s a summary of the SMB1 Client signing settings:

    Setting

    Group Policy Setting

    Registry Keys

    Required

    Digitally sign communications (always) – Enabled

    RequireSecuritySignature = 1

    Enabled*

    Digitally sign communications (if server agrees) – Enabled

    EnableSecuritySignature = 1, RequireSecuritySignature = 0

    Disabled

    Digitally sign communications (if server agrees) –   Disabled

    EnableSecuritySignature = 0, RequireSecuritySignature = 0

    Here’s a summary of SMB1 Server signing settings:

    Setting

    Group Policy Setting

    Registry Keys

    Required***

    Digitally sign communications (always) – Enabled

    RequireSecuritySignature = 1

    Enabled

    Digitally sign communications (if client agrees) – Enabled

    EnableSecuritySignature = 1, RequireSecuritySignature = 0

    Disabled **

    Digitally sign communications (if client agrees) –   Disabled

    EnableSecuritySignature = 0, RequireSecuritySignature = 0

    Here’s a summary of the SMB2 client and SMB2 server signing settings:

    Setting

    Group Policy Setting

    Registry Key

    Required *

    Digitally sign communications (always) – Enabled

    RequireSecuritySignature = 1

    Not Required **

    Digitally sign communications (always) – Disabled

    RequireSecuritySignature = 0

    The Basics of SMB Signing (covering both SMB1 and SMB2)

    https://blogs.technet.microsoft.com/josebda/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2/

    Overview of Server Message Block signing

    https://support.microsoft.com/en-us/kb/887429

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Sandy Wood Thursday, April 21, 2016 2:03 PM
    Monday, April 18, 2016 3:26 AM
    Moderator
  • Hi,

    From the TechNet article, we can see the best practice is:

    1. Configure the following security policy settings as follows:
      • Disable Microsoft Network Client: Digitally Sign Communications (Always).
      • Disable Microsoft Network Server: Digitally Sign Communications (Always).
      • Enable Microsoft Network Client: Digitally Sign Communications (If Server Agrees).
      • Enable Microsoft Network Server: Digitally Sign Communications (If Client Agrees).
    2. Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client computers and prevent them from communicating with legacy SMB applications and operating systems.

    Microsoft network server: Digitally sign communications (always)

    https://technet.microsoft.com/en-us/library/jj852239.aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Sandy Wood Thursday, April 21, 2016 2:03 PM
    Tuesday, April 19, 2016 2:19 AM
    Moderator

All replies

  • Hi,

    Thanks for your post.

    The easiest way to verify if the GPO settings are taking place is to check the related Registry Keys on the SMB client and SMB server. Please refer to the following tables and articles:

    Here’s a summary of the SMB1 Client signing settings:

    Setting

    Group Policy Setting

    Registry Keys

    Required

    Digitally sign communications (always) – Enabled

    RequireSecuritySignature = 1

    Enabled*

    Digitally sign communications (if server agrees) – Enabled

    EnableSecuritySignature = 1, RequireSecuritySignature = 0

    Disabled

    Digitally sign communications (if server agrees) –   Disabled

    EnableSecuritySignature = 0, RequireSecuritySignature = 0

    Here’s a summary of SMB1 Server signing settings:

    Setting

    Group Policy Setting

    Registry Keys

    Required***

    Digitally sign communications (always) – Enabled

    RequireSecuritySignature = 1

    Enabled

    Digitally sign communications (if client agrees) – Enabled

    EnableSecuritySignature = 1, RequireSecuritySignature = 0

    Disabled **

    Digitally sign communications (if client agrees) –   Disabled

    EnableSecuritySignature = 0, RequireSecuritySignature = 0

    Here’s a summary of the SMB2 client and SMB2 server signing settings:

    Setting

    Group Policy Setting

    Registry Key

    Required *

    Digitally sign communications (always) – Enabled

    RequireSecuritySignature = 1

    Not Required **

    Digitally sign communications (always) – Disabled

    RequireSecuritySignature = 0

    The Basics of SMB Signing (covering both SMB1 and SMB2)

    https://blogs.technet.microsoft.com/josebda/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2/

    Overview of Server Message Block signing

    https://support.microsoft.com/en-us/kb/887429

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Sandy Wood Thursday, April 21, 2016 2:03 PM
    Monday, April 18, 2016 3:26 AM
    Moderator
  • I'm using these group policies on our clients and servers to hopefully force SMB signing. Is this enough or do I need any other settings?


    Orange County District Attorney

    Monday, April 18, 2016 3:14 PM
  • Hi,

    From the TechNet article, we can see the best practice is:

    1. Configure the following security policy settings as follows:
      • Disable Microsoft Network Client: Digitally Sign Communications (Always).
      • Disable Microsoft Network Server: Digitally Sign Communications (Always).
      • Enable Microsoft Network Client: Digitally Sign Communications (If Server Agrees).
      • Enable Microsoft Network Server: Digitally Sign Communications (If Client Agrees).
    2. Alternately, you can set all of these policy settings to Enabled, but enabling them can cause slower performance on client computers and prevent them from communicating with legacy SMB applications and operating systems.

    Microsoft network server: Digitally sign communications (always)

    https://technet.microsoft.com/en-us/library/jj852239.aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Sandy Wood Thursday, April 21, 2016 2:03 PM
    Tuesday, April 19, 2016 2:19 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 21, 2016 7:19 AM
    Moderator
  • Yes, thanks. The information was helpful!

    Orange County District Attorney

    Thursday, April 21, 2016 2:03 PM