RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers

From: Soluk, Kirk (kmsoluk_at_umich.edu)
Date: 05/03/05

  • Next message: Laura A. Robinson: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers" 
    Date: Tue, 3 May 2005 16:09:19 -0400
To: "Murad Talukdar" <talukdar_m@subway.com>, <focus-ms@securityfocus.com>

    If you disable the SMB signing requirement it means that all your SMB
    based DC to member communications will be subject to MITM attacks. The
    primary concern here is your group policy download. In short, the SMB
    signing requirement provides the assurance that your group policies do
    not get tampered with in transit. Similarly, disabling the secure
    channel encryption\signing requirement means that you have no guarantees
    on all your DC to DC secure channel data (although sensitive information
    within the secure channel session (e.g. password derived data) will
    always be encrypted.

    It makes absolutely no sense to me how an app could be forcing this
    issue unless it's really old or running on a SAMBA machine. Is that the
    case?

    I would push back hard on this. You do not want to take this step
    backward. You have to be running some pretty old or insecure stuff to
    have to disable these settings - SMB signing was introduced in NT4
    Service Pack 3!

    Kirk Soluk
    University of Michigan
    Information Technology Security Services

    -----Original Message-----
    From: Murad Talukdar [mailto:talukdar_m@subway.com]
    Sent: Tuesday, May 03, 2005 3:32 AM
    To: focus-ms@securityfocus.com
    Subject: To disable SMB packet and secure channel signing enforcement on
    Windows Server 2003-based domain controllers

    Hi All,
    We have had arrival of new scanner/printer/copier in office. It uses SMB
    to scan files to shared folders on our W2003 network. In order for it to
    work however, I have had to do the following;

    1. From Administrative Tools open Domain Controller Security Policy 2.
    Smile 3. Select \Security Settings\Local Policies\Security Options
    folder. 4. In the details pane, double-click Microsoft network server:
    Digitally sign communications (always), and then click Disabled to
    prevent SMB packet signing from being required. 5. Click OK. 6. In the
    details pane, double-click Domain member: Digitally encrypt or sign
    secure channel data (always), and then click Disabled to prevent secure
    channel signing from being required. 7. Click OK.

    Before that, the scan would fail to be sent to the server in question.
    What are the implications of this--given that we do not ostensibly use
    SMB for anything else.
    I've heard scare stories of SMB man in the middle attacks and was under
    the impression that this is what these specific security settings were
    pertaining to but am not sure.

    There are other options for the scanning ie ftp/email but neither would
    work as we cannot get approval for cost of ftp server nor can the email
    system take the file sizes that are often req'd by scans our users make.

    I can see there will be advice against having shared user folders etc on
    DC's too but the big boss wants more from less if you see what I mean.

    Kind Regards
    Murad Talukdar

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Laura A. Robinson: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"

    Relevant Pages