Re: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 05/04/05
- Previous message: Langston, Fred: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- In reply to: Soluk, Kirk: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- Next in thread: David LeBlanc: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 03 May 2005 15:26:33 -0700 To: "Soluk, Kirk" <kmsoluk@umich.edu>
That's not necessarily true... some of the brand spanking new
printers/copiers scanners do indeed not support his.
Soluk, Kirk wrote:
>If you disable the SMB signing requirement it means that all your SMB
>based DC to member communications will be subject to MITM attacks. The
>primary concern here is your group policy download. In short, the SMB
>signing requirement provides the assurance that your group policies do
>not get tampered with in transit. Similarly, disabling the secure
>channel encryption\signing requirement means that you have no guarantees
>on all your DC to DC secure channel data (although sensitive information
>within the secure channel session (e.g. password derived data) will
>always be encrypted.
>
>It makes absolutely no sense to me how an app could be forcing this
>issue unless it's really old or running on a SAMBA machine. Is that the
>case?
>
>I would push back hard on this. You do not want to take this step
>backward. You have to be running some pretty old or insecure stuff to
>have to disable these settings - SMB signing was introduced in NT4
>Service Pack 3!
>
>Kirk Soluk
>University of Michigan
>Information Technology Security Services
>
>-----Original Message-----
>From: Murad Talukdar [mailto:talukdar_m@subway.com]
>Sent: Tuesday, May 03, 2005 3:32 AM
>To: focus-ms@securityfocus.com
>Subject: To disable SMB packet and secure channel signing enforcement on
>Windows Server 2003-based domain controllers
>
>Hi All,
>We have had arrival of new scanner/printer/copier in office. It uses SMB
>to scan files to shared folders on our W2003 network. In order for it to
>work however, I have had to do the following;
>
>1. From Administrative Tools open Domain Controller Security Policy 2.
>Smile 3. Select \Security Settings\Local Policies\Security Options
>folder. 4. In the details pane, double-click Microsoft network server:
>Digitally sign communications (always), and then click Disabled to
>prevent SMB packet signing from being required. 5. Click OK. 6. In the
>details pane, double-click Domain member: Digitally encrypt or sign
>secure channel data (always), and then click Disabled to prevent secure
>channel signing from being required. 7. Click OK.
>
>Before that, the scan would fail to be sent to the server in question.
>What are the implications of this--given that we do not ostensibly use
>SMB for anything else.
>I've heard scare stories of SMB man in the middle attacks and was under
>the impression that this is what these specific security settings were
>pertaining to but am not sure.
>
>There are other options for the scanning ie ftp/email but neither would
>work as we cannot get approval for cost of ftp server nor can the email
>system take the file sizes that are often req'd by scans our users make.
>
>I can see there will be advice against having shared user folders etc on
>DC's too but the big boss wants more from less if you see what I mean.
>
>
>Kind Regards
>Murad Talukdar
>
>
>
>
>------------------------------------------------------------------------
>---
>------------------------------------------------------------------------
>---
>
>
>---------------------------------------------------------------------------
>---------------------------------------------------------------------------
>
>
>
>
-- Dear Mr. Aitel: http://msmvps.com/bradley/archive/2005/04/13/42009.aspx --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Langston, Fred: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- In reply to: Soluk, Kirk: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- Next in thread: David LeBlanc: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
