Scribd Logo
Carica

Benvenuto in Scribd!

  • The Basics of SMB Signing (Covering Both SMB1 and SMB2) - Jose Barreto's Blog - Site Home - TechNet Blogs

    Caricato da

    bbcu2005
    748 visualizzazioni3 pagine
    sgd

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    sgd

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    748 visualizzazioni3 pagine

    The Basics of SMB Signing (Covering Both SMB1 and SMB2) - Jose Barreto's Blog - Site Home - TechNet Blogs

    Caricato da

    bbcu2005
    sgd

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 3

    The Basics of SMB Signing (covering both SMB1 and SMB2) - Jose B...

    All About
    Windows Server

    Cloud OS Blogs

    Datacenter
    Management

    Client
    Management

    http://blogs.technet.com/b/josebda/archive/2010/12/01/the-basics-of-s...

    Virtualization,
    VDI & Remote
    Desktop

    File & Storage &


    High Availability

    Windows Server
    Management

    Identity & Access

    Jose Barreto's Blog


    A blog by Jose Barreto, a member of the File Server team at Microsoft.

    The Basics of SMB Signing (covering both SMB1 and SMB2)


    Jose Barreto - MSFT

    1 Dec 2010 1:40 PM

    SMB Signing Overview


    Server Message Block (SMB) is the file protocol most commonly used by Windows. SMB Signing is a feature through
    which communications using SMB can be digitally signed at the packet level. Digitally signing the packets enables the
    recipient of the packets to confirm their point of origination and their authenticity. This security mechanism in the SMB
    protocol helps avoid issues like tampering of packets and man in the middle attacks.
    SMB signing is available in all currently supported versions of Windows, but its only enabled by default on Domain
    Controllers. This is recommended for Domain Controllers because SMB is the protocol used by clients to download Group
    Policy information. SMB signing provides a way to ensure that the client is receiving genuine Group Policy.
    SMB signing was introduced in Windows 2000 (at the time it was also ported back to Microsoft Windows NT 4.0 and
    Microsoft Windows 98). With the introduction of SMB2 in Windows Vista and Windows Server 2008, signing was improved
    by using a new hashing algorithm (HMAC SHA-256 replaced the old MD5). At that time, the settings were updated to
    simplify configuration and interoperability (you can find details later in the post). Another important improvement in SMB2
    signing is performance. In SMB1, enabling signing significantly decreases performance, especially when going across a
    WAN. In SMB2, there is almost no measurable degradation in performance, although there is still a higher CPU load.
    SMB1 Signing Configuration and Defaults
    There are two main ways to configure signing for SMB1 clients and SMB1 servers. The easier one is set a Group Policy to
    configure it. This is, for instance, how domain controllers are configured by default to require signing. The other way to do
    it is using registry settings. On each side (SMB1 client and SMB1 server), SMB1 Signing can be set to be Required,
    Enabled or Disabled.
    Heres a summary of the SMB1 Client signing settings:
    Setting Group Policy Setting

    Registry Keys

    Required Digitally sign communications (always) Enabled

    RequireSecuritySignature = 1

    Enabled* Digitally sign communications (if server agrees)


    Enabled

    EnableSecuritySignature = 1, RequireSecuritySignature
    =0

    Disabled Digitally sign communications (if server agrees)


    Disabled

    EnableSecuritySignature = 0, RequireSecuritySignature
    =0

    Heres a summary of SMB1 Server signing settings:


    Setting

    Group Policy Setting

    Registry Keys

    Required*** Digitally sign communications (always) Enabled

    RequireSecuritySignature = 1

    Enabled

    Digitally sign communications (if client agrees)


    Enabled

    EnableSecuritySignature = 1, RequireSecuritySignature
    =0

    Disabled ** Digitally sign communications (if client agrees)


    Disabled

    EnableSecuritySignature = 0, RequireSecuritySignature
    =0

    * The default setting for signing on SMB1 Clients is Enabled.


    ** The default setting for signing on SMB1 Servers is Disabled.
    *** The default setting for signing on Domain Controllers (defined via Group Policy) is Required.
    The Group Policy settings are found under Computer Configuration\Windows Settings\Security Settings\Local
    Policies\Security Options.
    Client registry keys are stored under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation
    \Parameters.
    Server registry keys are stored under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer
    \Parameters.
    All registry keys are of type DWORD.
    SMB2 Signing Configuration and Defaults
    SMB2 simplified this configuration by having only one setting: whether signing was required or not. This can be
    configured via Group Policy or registry setting, on SMB2 clients and SMB2 servers. On each side, signing can be set to be
    Required or Not Required.
    Heres a summary of the SMB2 client and SMB2 server signing settings:
    Setting

    1 of 3

    Group Policy Setting

    Registry Key

    11.08.2014 13:31

    The Basics of SMB Signing (covering both SMB1 and SMB2) - Jose B...

    Required *

    http://blogs.technet.com/b/josebda/archive/2010/12/01/the-basics-of-s...

    Digitally sign communications (always) Enabled RequireSecuritySignature = 1

    Not Required ** Digitally sign communications (always) Disabled RequireSecuritySignature = 0


    * The default setting for signing on a Domain Controller (defined via Group Policy) is Required.
    ** The default setting for signing on SMB2 Servers and SMB Clients is Not Required.
    The Group Policy setting is found under Computer Configuration\Windows Settings\Security Settings\Local
    Policies\Security Options.
    Client registry key is stored under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation
    \Parameters.
    Server registry key is stored under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters.
    All registry keys are of type DWORD.
    SMB Signing Effective Behavior
    There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used.
    Heres a summary of the effective behavior for SMB2:
    Server Required Server Not Required
    Client Required

    Signed*

    Signed

    Client Not Required Signed

    Not Signed**

    Heres a summary of the effective behavior for SMB1 in current versions of Windows:
    Server Required Server Enabled Server Disabled
    Client Required Signed

    Signed

    Signed

    Client Enabled Signed*

    Signed

    Not signed**

    Client Disabled Signed

    Not Signed

    Not Signed

    * Default for Domain Controller SMB traffic.


    ** Default for all other SMB traffic.
    Older SMB1 Signing Behavior
    A common source of confusion around SMB1 signing is the fact that older versions of Windows had a different signing
    behavior. That behavior was changed in 2008 to match the behavior of Windows Server 2008 and Windows Vista as
    documented at http://support.microsoft.com/kb/950876. Heres a summary of the effective behavior for early versions of
    Windows Server 2003 and Windows XP (or older):
    Old Server Required Old Server Enabled Old Server Disabled
    Old Client Required Signed

    Signed

    Fails to connect

    Old Client Enabled Signed*

    Signed

    Not signed**

    Old Client Disabled Fails to connect

    Not Signed

    Not Signed

    * Default for Domain Controller SMB1 traffic.


    ** Default for all other SMB1 traffic.
    If you have an old SMB1 server or old SMB1 client, you should have it patched or updated to remove the possibility of
    failures to connect in a misconfigured environment.
    Changing the SMB signing behavior
    In general, it is recommended that you keep the default SMB signing settings. However, customers sometimes want to
    reconfigure SMB signing in specific situations. For instance, the customer could have the need to:
    Increase SMB performance in Domain Controllers. Its true that SMB signing will require additional processing for
    hash calculation, so you could increase a domain controller SMB performance by disabling the Required setting
    on Domain Controllers. However, we strongly discourage changing the default, since it will also expose your Group
    Policy to tampering and man-in-the-middle attacks.
    Allow the use of WAN optimization devices to speed up traffic SMB traffic between branch offices and head office
    by disabling the Required setting on Domain Controllers. Again, youre trading performance for security. Although
    these these devices could be legitimate, they essentially behave as a broker and would be in the position to relay
    obsolete group policy settings or even tampered ones (if compromised).
    Increase the security for SMB clients or SMB servers that are not Domain Controllers. By enabling the Required
    setting on SMB clients or SMB server, you could force all SMB traffic to be signed. Signing all SMB traffic is not
    recommended because it will require additional processing (for hash calculation) and will decrease SMB
    performance.
    If you decide that you must change the SMB signing settings, the recommendation is to use the Digitally sign
    communications (always) Group Policy setting. If you cannot do it via Group Policy, you could use the
    RequireSecuritySignature registry setting.
    IMPORTANT: We no longer recommend using Digitally sign communications (if client agrees) or Digitally sign
    communications (if server agrees) Group Policy settings. We also no longer recommend using the
    EnableSecuritySignature registry settings. These options, which only affect the SMB1 behavior, can be effectively
    replaced by the Digitally sign communications (always) Group Policy setting or the RequireSecuritySignature registry
    setting.

    2 of 3

    11.08.2014 13:31

    The Basics of SMB Signing (covering both SMB1 and SMB2) - Jose B...

    http://blogs.technet.com/b/josebda/archive/2010/12/01/the-basics-of-s...

    References
    Here are a few Knowledge Base articles (support) and TechNet articles that provide additional details on SMB signing.
    Please be careful interpreting these references, since some of them refer to the older SMB1 behavior.
    http://support.microsoft.com/kb/887429 - Overview of Server Message Block signing for older versions of OS
    http://support.microsoft.com/kb/916846 - Mismatched SMB signing in Group Policy or in the registry
    http://support.microsoft.com/kb/950876 - Windows Server 2003 and Windows XP fix to match Windows Server
    2008 or Windows Vista SP1 signing.
    http://technet.microsoft.com/en-us/library/cc728025.aspx - Group Policy: Microsoft network client: Digitally sign
    communications (always)
    http://technet.microsoft.com/en-us/library/cc785861.aspx - Group Policy: Microsoft network client: Digitally sign
    communications (if server agrees)
    http://technet.microsoft.com/en-us/library/cc786681.aspx - Group Policy: Microsoft network server: Digitally sign
    communications (always)
    http://technet.microsoft.com/en-us/library/cc759474.aspx - Group Policy: Microsoft network server: Digitally sign
    communications (if client agrees)
    http://technet.microsoft.com/en-us/library/cc512612.aspx - How to Shoot Yourself in the Foot with Security, Part 1

    Tweet

    Like

    Share
    Share

    Save this on Delicious

    Comments
    26 Feb 2011 2:22 AM
    Anonymous

    Introduction The File Server team often talks to customers about file server migration and file server
    26 Feb 2011 2:39 AM
    Anonymous

    Introduction The File Server team often talks to customers about file server migration and file server
    4 May 2012 12:49 AM
    Anonymous

    Everything here also applies to Windows 8. These features were first available in the Windows Server
    7 May 2012 7:01 AM
    Anonymous

    Everything here also applies to Windows 8. These features were first available in the Windows Server

    3 of 3

    11.08.2014 13:31

    Potrebbero piacerti anche