One of the most important security provisions in Microsoft's ubiquitous Common Internet File System (CIFS) is Server Message Block signing.

SMB signing is a form of packet authentication. After users of a CIFS-based application are authenticated, SMB signing adds a digital signature to each packet transferred between client and server. The signatures verify that the identity of the server matches the credentials expected by the client, and vice versa. By verifying that every packet received comes from an authenticated source, the signature ensures the integrity of all communications.

The hashing algorithm used to create the digital signature adds noticeable computational overhead to the client and the server. On a high-speed LAN, Microsoft estimates this overhead to be 10% to15%. But this layer of security is considered unnecessary on the LAN, and to maximize throughput, many organizations disable the SMB signing feature of CIFS. Or the server might have SMB signing enabled but not required, meaning any client with SMB signing disabled can still communicate.

The situation is different in the WAN, however, where traffic is vulnerable to man-in-the-middle attacks and hijacking. The need for SMB signing with wide-area file services (WAFS) solutions has been heightened recently with the widespread availability of a hacker tool called SmbRelay that automates a man-in-the-middle attack against the SMB protocol.

Signing protects against SMB session hijacking and other tampering by preventing a network tap from interjecting itself into an established session. SMB signing should therefore be considered a best practice for securing WAFS-based solutions that extend CIFS across the WAN.

From Making wide-area file services secure, Network World, 12/04/06.