RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers

From: Richard J. Pollock, Jr. (rpollock_at_thecitizensbank.com)
Date: 05/04/05

  • Next message: Soluk, Kirk: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers" 
    To: <focus-ms@securityfocus.com>
Date: Tue, 3 May 2005 20:12:26 -0400

    Does this relate in any way to the Samba authentication with Windows
    2003SP1? I'm still having trouble getting my samba machines authenticating
    users. I even installed the latest versions of Samba (14a and 15pre).

    Rick

    -----Original Message-----
    From: Serge Jorgensen [mailto:sjorgensen@usinfosec.com]
    Sent: Tuesday, May 03, 2005 3:44 PM
    To: Murad Talukdar; focus-ms@securityfocus.com
    Subject: RE: To disable SMB packet and secure channel signing enforcement on
    Windows Server 2003-based domain controllers

    Murad,

    Why not just share a folder on the local user's workstation? That
    doesn't require the changes on the DC, and you can always sync the
    folders back to the DC if you need some backup.

    R/
     Serge

    -----Original Message-----
    From: Murad Talukdar [mailto:talukdar_m@subway.com]
    Sent: Tuesday, May 03, 2005 3:32 AM
    To: focus-ms@securityfocus.com
    Subject: To disable SMB packet and secure channel signing enforcement on
    Windows Server 2003-based domain controllers

    Hi All,
    We have had arrival of new scanner/printer/copier in office. It uses SMB
    to scan files to shared folders on our W2003 network. In order for it to
    work however, I have had to do the following;

    1. From Administrative Tools open Domain Controller Security Policy 2.
    Smile 3. Select \Security Settings\Local Policies\Security Options
    folder. 4. In the details pane, double-click Microsoft network server:
    Digitally sign communications (always), and then click Disabled to
    prevent SMB packet signing from being required. 5. Click OK. 6. In the
    details pane, double-click Domain member: Digitally encrypt or sign
    secure channel data (always), and then click Disabled to prevent secure
    channel signing from being required. 7. Click OK.

    Before that, the scan would fail to be sent to the server in question.
    What are the implications of this--given that we do not ostensibly use
    SMB for anything else.
    I've heard scare stories of SMB man in the middle attacks and was under
    the impression that this is what these specific security settings were
    pertaining to but am not sure.

    There are other options for the scanning ie ftp/email but neither would
    work as we cannot get approval for cost of ftp server nor can the email
    system take the file sizes that are often req'd by scans our users make.

    I can see there will be advice against having shared user folders etc on
    DC's too but the big boss wants more from less if you see what I mean.

    Kind Regards
    Murad Talukdar

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
Sylint
Cyber Security,
Intelligence & Analysis
Serge Jorgensen
+1.941.951.6015
sjorgensen@usinfosec.com
The Sylint Group
PO Box 49886
Sarasota, Florida 34230 USA 
----------------------------------------------------------------------------
----
This message, including any attachments, contains confidential information
intended for a specific individual and purpose, and is protected by law. If
you are not the intended recipient, please contact the sender immediately by
reply email and destroy all copies. You are hereby notified that any
disclosure, copying or distribution of this message, or the taking of any
action based on it, is strictly prohibited.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Soluk, Kirk: "RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers"

    Relevant Pages

    • Re: Space running out
      ... Mobo controller RAID, Windows SW ... Here is the drill on freeing up space on C drives. ... How to move Exchange databases and logs in Exchange Server 2003 ... How to Move Small Business Server 2000 Company and Users Shared Folders ...
      (microsoft.public.windows.server.sbs)
    • Re: Is it safe to move service pack folder?
      ... Best if you have 2 drives, ... Alex Nichol MS MVP (Windows Technologies) ... When moving folders, especially your Exchange data base, revisit the ... How to move Exchange databases and logs in Exchange Server 2003 ...
      (microsoft.public.windows.server.sbs)
    • Re: Volume Shadow Copy Previous Version of files missing
      ... I was actually not trying to access the Previous Version tab from the server ... folders is available. ... The only thing I know changed on that system were the windows updates I ... must have a working network connection and be viewing the volume as a shared ...
      (microsoft.public.windows.file_system)
    • RE: trying to recover files on SBS2K3 disk using XP Pro
      ... the IMAPI CD-Burning COM Service is installed with Windows ... Server 2003 and it is by default disabled. ... This newsgroup only focuses on SBS technical issues. ... | files but can't open the important "Users Shared Folders" folders ("Not ...
      (microsoft.public.windows.server.sbs)
    • Re: 0x800CCC90, 0x800CCC92 Errors
      ... > accounts on the same server, and on two separate computers, only the one ... > our Outlook webmail server just fine on both, ... It is best to move messages to folders you have ... I don't have a Windows ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)