SMB Signing and Security

Server Message Block security has two main components: user-level and share-level. The first is for accessing servers, and the second is for accessing files, folders, and printers if share-level authentication has been configured on the server. Most readers of this column already know about these aspects of SMB security, but you may not know about another feature called “SMB signing.” This is a feature that is available in all versions of Windows since NT4. It places a digital signature into each server message block, which is used by both SMB clients and servers to prevent so-called “man-in-the-middle” attacks and guarantee that SMB communications are not altered. SMB signing can be either “enabled” or “required” on both SMB for both client-side and server-side communications. If SMB is enabled on two computers communicating by SMB, then SMB signing will be used. If SMB is required on one of the two computers communicating by SMB, then the connection will only occur if the other computer at least has SMB signing enabled. In order to definitively prevent man-in-the-middle attacks, servers should be set up to require SMB signing, not merely enable it, because an interloper could strip out the signatures of altered packets and they would still be accepted. There has been a lot of discussion over the years about the performance impact of SMB signing; many have reported a 10% reduction in file copy speed and Microsoft says “up to 15%”. There has also been discussion as to whether it’s really necessary, or superfluous considering other existing security measures: some have said that SMB signing is analogous to locking your office door every time you go get a cup of coffee. (Almost nobody has office doors anymore but you get the idea.) Also, SMB signing can interfere with some versions of TCP optimization products. Finally, if you’re using IPsec, the need for SMB signing may be less pressing, although it will still help prevent “inside jobs” (man-in-the-middle attacks from credentialed users). You can set the SMB signing status via Group Policy; it’s under Computer Configuration, Windows Settings, Security Settings, Local Policies, and Security Option. Look for policies named “Microsoft network client: Digitally sign communications.” Read the voluminous “explain” text for these settings to gain a deeper understanding of each one; check out Jesper Johansson’s interesting article on TechNet titled “How to Shoot Yourself in the Foot with Security;” and if you are going to require SMB signing on your network, plan to do some thorough testing to make sure the change doesn’t create performance or compatibility problems.