RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers

From: Laura A. Robinson (larobins_at_bellatlantic.net)
Date: 05/03/05

  • Next message: Serge Jorgensen: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
    Date: Tue, 03 May 2005 16:18:31 -0400
    To: "'Murad Talukdar'" <talukdar_m@subway.com>, <focus-ms@securityfocus.com>
    
    

    The implications of what you've changed is pretty much what you've thought
    they are. One thing, however- you *are* using SMB. SMB is not NetBIOS (a lot
    of people tend to think that if they disable NetBIOS, they're disabling SMB,
    and that's not the case); it is what is used to establish "name-based"
    sessions between machines. Basically, nearly any TCP session between
    Winboxen is also an SMB session.

    So, at the very least, if you can set the SMB packet signing options to
    "when possible" (or whatever it says; I'm thinking off the top of my head
    and said head is achy right now), then your Windows machines can still
    utilize SMB signing but your scanner/printer/copier can still work.
    Alternately, contact the vendor of the device to find out if the machine can
    be configured to do SMB signing. Finally, no, it's not the end of the world
    if you can't use SMB signing. It's just one of the options available to you
    to harden your environment. With that said, the fact that you have shares on
    your DCs would make me want to lean towards being more conservative and
    utilizing SMB signing if at all possible.

    My pennies,

    Laura

    > -----Original Message-----
    > From: Murad Talukdar [mailto:talukdar_m@subway.com]
    > Sent: Tuesday, May 03, 2005 3:32 AM
    > To: focus-ms@securityfocus.com
    > Subject: To disable SMB packet and secure channel signing
    > enforcement on Windows Server 2003-based domain controllers
    >
    > Hi All,
    > We have had arrival of new scanner/printer/copier in office.
    > It uses SMB to scan files to shared folders on our W2003
    > network. In order for it to work however, I have had to do
    > the following;
    >
    > 1. From Administrative Tools open Domain Controller Security
    > Policy 2. Smile 3. Select \Security Settings\Local
    > Policies\Security Options folder. 4. In the details pane,
    > double-click Microsoft network server: Digitally sign
    > communications (always), and then click Disabled to prevent
    > SMB packet signing from being required. 5. Click OK. 6. In
    > the details pane, double-click Domain member: Digitally
    > encrypt or sign secure channel data (always), and then click
    > Disabled to prevent secure channel signing from being
    > required. 7. Click OK.
    >
    > Before that, the scan would fail to be sent to the server in question.
    > What are the implications of this--given that we do not
    > ostensibly use SMB for anything else.
    > I've heard scare stories of SMB man in the middle attacks and
    > was under the impression that this is what these specific
    > security settings were pertaining to but am not sure.
    >
    > There are other options for the scanning ie ftp/email but
    > neither would work as we cannot get approval for cost of ftp
    > server nor can the email system take the file sizes that are
    > often req'd by scans our users make.
    >
    > I can see there will be advice against having shared user
    > folders etc on DC's too but the big boss wants more from less
    > if you see what I mean.
    >
    >
    > Kind Regards
    > Murad Talukdar
    >
    >
    >
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Serge Jorgensen: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"