RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers
From: Serge Jorgensen (sjorgensen_at_usinfosec.com)
Date: 05/03/05
- Previous message: Laura A. Robinson: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- Maybe in reply to: Murad Talukdar: "To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- Next in thread: Richard J. Pollock, Jr.: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- Reply: Richard J. Pollock, Jr.: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 3 May 2005 15:43:30 -0400 To: "Murad Talukdar" <talukdar_m@subway.com>, <focus-ms@securityfocus.com>
Murad,
Why not just share a folder on the local user's workstation? That
doesn't require the changes on the DC, and you can always sync the
folders back to the DC if you need some backup.
R/
Serge
-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m@subway.com]
Sent: Tuesday, May 03, 2005 3:32 AM
To: focus-ms@securityfocus.com
Subject: To disable SMB packet and secure channel signing enforcement on
Windows Server 2003-based domain controllers
Hi All,
We have had arrival of new scanner/printer/copier in office. It uses SMB
to scan files to shared folders on our W2003 network. In order for it to
work however, I have had to do the following;
1. From Administrative Tools open Domain Controller Security Policy 2.
Smile 3. Select \Security Settings\Local Policies\Security Options
folder. 4. In the details pane, double-click Microsoft network server:
Digitally sign communications (always), and then click Disabled to
prevent SMB packet signing from being required. 5. Click OK. 6. In the
details pane, double-click Domain member: Digitally encrypt or sign
secure channel data (always), and then click Disabled to prevent secure
channel signing from being required. 7. Click OK.
Before that, the scan would fail to be sent to the server in question.
What are the implications of this--given that we do not ostensibly use
SMB for anything else.
I've heard scare stories of SMB man in the middle attacks and was under
the impression that this is what these specific security settings were
pertaining to but am not sure.
There are other options for the scanning ie ftp/email but neither would
work as we cannot get approval for cost of ftp server nor can the email
system take the file sizes that are often req'd by scans our users make.
I can see there will be advice against having shared user folders etc on
DC's too but the big boss wants more from less if you see what I mean.
Kind Regards
Murad Talukdar
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- Sylint Cyber Security, Intelligence & Analysis Serge Jorgensen +1.941.951.6015 sjorgensen@usinfosec.com The Sylint Group PO Box 49886 Sarasota, Florida 34230 USA -------------------------------------------------------------------------------- This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, please contact the sender immediately by reply email and destroy all copies. You are hereby notified that any disclosure, copying or distribution of this message, or the taking of any action based on it, is strictly prohibited. --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Laura A. Robinson: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- Maybe in reply to: Murad Talukdar: "To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- Next in thread: Richard J. Pollock, Jr.: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- Reply: Richard J. Pollock, Jr.: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
