Re: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers
From: vic brown (vabrown_at_mailer.fsu.edu)
Date: 05/04/05
- Previous message: David LeBlanc: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- In reply to: Murad Talukdar: "To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- Next in thread: Murad Talukdar: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 03 May 2005 18:11:18 -0500 To: Murad Talukdar <talukdar_m@subway.com>, focus-ms@securityfocus.com
A stand along repository box might not be a bad solution (win32 or
samba). The application is ASSuming that you want store the files in
your domain controller. I'm sure there is a way for you to say
something like \\anybox\repository. This way security is not scaled
down. No cost for an ftp server? (Linux box w/vsftpd, or win32 with
filezilla ftpd). How expensive is that?
Murad Talukdar wrote:
> Hi All,
> We have had arrival of new scanner/printer/copier in office. It uses SMB to
> scan files to shared folders on our W2003 network. In order for it to work
> however, I have had to do the following;
>
> 1. From Administrative Tools open Domain Controller Security Policy 2. Smile
> 3. Select \Security Settings\Local Policies\Security Options folder. 4. In
> the details pane, double-click Microsoft network server: Digitally sign
> communications (always), and then click Disabled to prevent SMB packet
> signing from being required. 5. Click OK. 6. In the details pane,
> double-click Domain member: Digitally encrypt or sign secure channel data
> (always), and then click Disabled to prevent secure channel signing from
> being required. 7. Click OK.
>
> Before that, the scan would fail to be sent to the server in question.
> What are the implications of this--given that we do not ostensibly use SMB
> for anything else.
> I've heard scare stories of SMB man in the middle attacks and was under the
> impression that this is what these specific security settings were
> pertaining to but am not sure.
>
> There are other options for the scanning ie ftp/email but neither would work
> as we cannot get approval for cost of ftp server nor can the email system
> take the file sizes that are often req'd by scans our users make.
>
> I can see there will be advice against having shared user folders etc on
> DC's too but the big boss wants more from less if you see what I mean.
>
>
> Kind Regards
> Murad Talukdar
>
>
>
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
--
___________ ___________
__/ V ;
@ Vic Brown |
| supremebeings.org |
@__________________________;
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: David LeBlanc: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- In reply to: Murad Talukdar: "To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- Next in thread: Murad Talukdar: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
