RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers

From: Laura A. Robinson (larobins_at_bellatlantic.net)
Date: 05/03/05

  • Next message: Serge Jorgensen: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers" 
    Date: Tue, 03 May 2005 16:18:31 -0400
To: "'Murad Talukdar'" <talukdar_m@subway.com>, <focus-ms@securityfocus.com>

    The implications of what you've changed is pretty much what you've thought
    they are. One thing, however- you *are* using SMB. SMB is not NetBIOS (a lot
    of people tend to think that if they disable NetBIOS, they're disabling SMB,
    and that's not the case); it is what is used to establish "name-based"
    sessions between machines. Basically, nearly any TCP session between
    Winboxen is also an SMB session.

    So, at the very least, if you can set the SMB packet signing options to
    "when possible" (or whatever it says; I'm thinking off the top of my head
    and said head is achy right now), then your Windows machines can still
    utilize SMB signing but your scanner/printer/copier can still work.
    Alternately, contact the vendor of the device to find out if the machine can
    be configured to do SMB signing. Finally, no, it's not the end of the world
    if you can't use SMB signing. It's just one of the options available to you
    to harden your environment. With that said, the fact that you have shares on
    your DCs would make me want to lean towards being more conservative and
    utilizing SMB signing if at all possible.

    My pennies,

    Laura

    > -----Original Message-----
    > From: Murad Talukdar [mailto:talukdar_m@subway.com]
    > Sent: Tuesday, May 03, 2005 3:32 AM
    > To: focus-ms@securityfocus.com
    > Subject: To disable SMB packet and secure channel signing
    > enforcement on Windows Server 2003-based domain controllers
    >
    > Hi All,
    > We have had arrival of new scanner/printer/copier in office.
    > It uses SMB to scan files to shared folders on our W2003
    > network. In order for it to work however, I have had to do
    > the following;
    >
    > 1. From Administrative Tools open Domain Controller Security
    > Policy 2. Smile 3. Select \Security Settings\Local
    > Policies\Security Options folder. 4. In the details pane,
    > double-click Microsoft network server: Digitally sign
    > communications (always), and then click Disabled to prevent
    > SMB packet signing from being required. 5. Click OK. 6. In
    > the details pane, double-click Domain member: Digitally
    > encrypt or sign secure channel data (always), and then click
    > Disabled to prevent secure channel signing from being
    > required. 7. Click OK.
    >
    > Before that, the scan would fail to be sent to the server in question.
    > What are the implications of this--given that we do not
    > ostensibly use SMB for anything else.
    > I've heard scare stories of SMB man in the middle attacks and
    > was under the impression that this is what these specific
    > security settings were pertaining to but am not sure.
    >
    > There are other options for the scanning ie ftp/email but
    > neither would work as we cannot get approval for cost of ftp
    > server nor can the email system take the file sizes that are
    > often req'd by scans our users make.
    >
    > I can see there will be advice against having shared user
    > folders etc on DC's too but the big boss wants more from less
    > if you see what I mean.
    >
    >
    > Kind Regards
    > Murad Talukdar
    >
    >
    >
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Serge Jorgensen: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"

    Relevant Pages

    • Re: SMB signing deaktivieren
      ... soweit ich informiert bin, wird SMB signing verwendet, um -man in the ... FileServer Zugriffe wird es nur im Falle des small business server ... deaktivieren bringt erst richtig Probleme ...
      (microsoft.public.de.german.windows.server.active_directory)
    • Re: SMB signing deaktivieren
      ... soweit ich informiert bin, wird SMB signing verwendet, um -man in the ... FileServer Zugriffe wird es nur im Falle des small business server ... deaktivieren bringt erst richtig Probleme ...
      (microsoft.public.de.german.windows.server.active_directory)
    • Re: Mitarbeiter klagen =?UTF-8?B?w7xiZXIgbGFuZ3NhbWUgVmVyYmluZHVu?= =?UTF-8?B?ZyB6dW0gU2Vydm
      ... im Fall vom SMB von Microsoft eingesetzten Konfigurationen. ... and a server-side SMB component is not completed if the SMB signing ... Mark Heitbrink - MVP Windows Server - Group Policy ...
      (microsoft.public.de.german.windows.server.networking)
    • SMB signing deaktivieren
      ... soweit ich informiert bin, wird SMB signing verwendet, um -man in the middle attacken- während des Logon Prozesses zu verhindern. ... Für FileServer Zugriffe wird es nur im Falle des small business server genutzt. ...
      (microsoft.public.de.german.windows.server.active_directory)
    • Re: Optimizing NTFS Performance
      ... SMB signing *is* enabled by default. ... Furthermore, IMO, since disabling SMB is a lot less ... SBS server or SBS environment, so you are sure of the process, the outcome, ... > at the network usage on the server and client, ...
      (microsoft.public.windows.server.sbs)