Re: GPO for trusted root CA certs

With which key is SMB signed?
They key is derived from your authentication information. This key is used
to sign the SMB packets to prevent replay attacks.

With the server's RSA key from its server certificate?
SMB signing is not based on any PKI technologies, no certificates are
required.

Have a look at these articles for more info on CIFS/SMB:
http://www.microsoft.com/technet/community/columns/secmgmt/sm0905.mspx
http://support.microsoft.com/kb/887429

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Date: Fri, 10 Nov 2006 00:05:33 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@xxxxxxxxxxxx>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13)
Gecko/20060417
X-Accept-Language: en-us, en
MIME-Version: 1.0
Newsgroups: microsoft.public.windows.server.security
Subject: Re: GPO for trusted root CA certs
References: <8bd624-r0a.ln1@xxxxxxxxxxxxxxxx>
<8BsuGcpAHHA.5200@xxxxxxxxxxxxxxxxxxxxx>
In-Reply-To: <8BsuGcpAHHA.5200@xxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Message-ID: <tqoc24-kqk.ln1@xxxxxxxxxxxxxxxx>

Brian Delaney [MSFT] wrote:
Michael Ströder wrote:

And how about protection of the network transport of GPO?

Are you referring to the application of a GPO over the network or
modifying?

Application of a GPO over the network.

As far as I know by default all that is done to secure both is
SMB signing is required on Windows Server 2003 SP1 (possibly RTM as well)
and can be set to required on Windows 2000. SMB signing helps to prevent
an SMB session from being highjacked once established.

With which key is SMB signed?
With the server's RSA key from its server certificate?

Ciao, Michael.


.

Relevant Pages

  • Re: GPO for trusted root CA certs
    ... And how about protection of the network transport of GPO? ... SMB signing is required on Windows Server 2003 SP1 ... With the server's RSA key from its server certificate? ...
    (microsoft.public.windows.server.security)
  • Re: SMB signing
    ... If it is a domain computer, you would have to move it to it's own OU ... setting for the GPO. ... that have a "require" policy for smb signing. ... > I have been looking for a way to prevent SMB signing for just one user. ...
    (microsoft.public.security)
  • Re: SMB packet and secure channel signing
    ... You know, in all the times that you and I have the debate on SMB Signing, ... > Optionally you can do "if client agrees" and thus the signing will be ... > Just don't screw up in the process of disabling these suckers. ... SMB Signing puts a tag on each and every network packet ...
    (microsoft.public.windows.server.sbs)
  • Re: SMB signing problem with winXP
    ... In an SBS 2003 network with Windows XP workstations I did have ... It drove the client crazy because it hung ... >> SMB Signing in the Default Domain Policy and the Default Domain ... >> There is no problem with Disabling SMB Signing entirely. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Adding an NT 4.0 BDC to 2003 Active Directory Network
    ... you can try disabling smb signing just to get the nt4 bdc up, ... have client machines set to require smb signing. ... network I was going to add an NT 4.0 BDC to my 2003 AD domain, remove it, ...
    (microsoft.public.windows.server.networking)