Configure SMB Signing with Confidence

Published Aug 03 2021 11:26 AM 16.4K Views
Microsoft

Heya folks, Ned here again. Many years ago, we made configuring SMB signing in Windows pretty complicated. Then, years later, we made it even more complicated in an attempt to be less complicated. Today I'm here to explain the SMB signing rules once and for all. Probably.

 

Sign me up!

 

What is signing and why do you care

SMB signing means that every SMB 3.1.1 message contains a signature generated using session key and AES. The client puts a hash of the entire message into the signature field of the SMB2 header. If anyone changes the message itself later on the wire, the hash won't match and SMB knows that someone tampered with the data. It also confirms to sender and receiver that they are who they say they are, breaking relay attacks. Ideally, you are using Kerberos instead of NTLMv2 so that your session key starts strong; don't connect to shares with IP addresses and don't use CNAME records - Kerberos is here to help!

 

By default, domain controllers require SMB signing of anyone connecting to them, typically for SYSVOL and NETLOGON to get group policy and those sweet logon scripts. Less well known is that - starting in Windows 10 - UNC Hardening from the client also requires signing when talking to those same two shares and goes further by requiring Kerberos (it technically requires mutual auth, but for Windows, that means Kerberos). 

 

SMB signing first appeared in Windows 2000, NT 4.0, and Windows 98, it's old enough to drink. Signing algorithms have evolved over time; SMB 2.02 signing was improved with HMAC SHA-256, replacing the old MD5 method from the late 1990s that was in SMB1 (may it burn in Hades for all eternity). SMB 3.0 added AES-CMAC. In Windows Server 2022 and Windows 11, we added AES-128-GMAC signing acceleration, so if you're looking for the best performance and protection combo, start planning your upgrades. 

 

The confusing bit

This 20+ year evolutionary process brings me to the confusing bit: "requiring" versus "enabling" signing in Windows security policy. We have four settings to control SMB signing, but they behave and mean things differently with SMB2+ and SMB1.

 

  • Policy: "Microsoft network client: Digitally sign communications (always)"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters

RequireSecuritySignature = 1 or 0

 

  • Microsoft network client: Digitally sign communications (if server agrees)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters

EnableSecuritySignature = 1 or 0

 

  • Microsoft network server: Digitally sign communications (always)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters

RequireSecuritySignature = 1 or 0

 

  • Microsoft network server: Digitally sign communications (if client agrees)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters

EnableSecuritySignature = 1 or 0

 

Note my use of bold. "Always" means "required." "If agrees" means "enabled." If I could go back in time and find out who decided to use synonyms here instead of the actual words, it would be my next stop after buying every share of MSFT I could get my hands on in 1986. 

 

These settings live here in the classic Security Settings of computer group policy you'll see by launching GPMC.MSC or GEPEDIT.MSC.

 

2021-07-29_18-25-55.jpg

 

With me so far? Cool.

 

Understanding 'Required' 

The “enabled” registry setting for SMB2+ client and SMB2+ Server is ignored. It does nothing at all. It is pointless unless you are using SMB1. SMB2 signing is controlled solely by being required or not, and if either the server or client require it, you will sign. Only if they both have signing set to 0 will signing not occur. Again, SMB signing is always enabled in SMB2+. 

 

 

Server – RequireSecuritySignature=1

Server – RequireSecuritySignature=0

Client – RequireSecuritySignature=1

Signed 

Signed 

Client – RequireSecuritySignature=0

Signed 

Not Signed

 

Understanding 'Enabled' 

The legacy SMB1 client that is no longer installed by default in Windows 10 or Windows 2019 commercial editions had a more complex (i.e. bad) behavior based on the naïve idea that clients and servers should sign if they feel like it but that it was ok not to sign otherwise, known as "enabled", i.e. "if agrees". Signing is still possible in any case, nothing turns the signing code off. This is not a security model we follow anymore but everyone was wearing 1-strap undone overalls and baggy windbreakers at this point in the 90s and thinking they looked good. SMB1 also had the "required" setting, for those who wanted more strictness, and that will override the "if I feel like it" behavior as you'd hope. So we end up with this complex matrix. Again, it only matters for the SMB1 protocol that you are not supposed to be using.

 

 

Server – RequireSecuritySignature=1

Server – EnableSecuritySignature=1

Server – EnableSecuritySignature=0

Client – RequireSecuritySignature=1

Signed

Signed 

Signed 

Client – EnableSecuritySignature=1

Signed 

Signed 

Not signed 

Client – EnableSecuritySignature=0

Signed 

Not Signed 

Not Signed 

 

And another thing

The idea that the server should mandate these settings in either case isn't great either; it leads to attacks where someone intercepts the negotiation and says "nah, don't sign, you're fine". Which is why years ago we created pre-authentication integrity protection, UNC Hardening, and added the ability to require signing when mapping drives with NET USE and New-SmbMapping. All of this client-side security requirement is the proper technique, where the client decides it wants security and if it doesn't get it, closes the connection. Requiring Kerberos by disabling the use of NTLM and enabling UNC hardening will make things much more secure. In fact, I have a long article on all of this you should read once, then five times more: 

 

How to Defend Users from Interception Attacks via SMB Client Defense

 

The big sum up

If you really, really want to understand SMB signing, the article to read is SMB 2 and SMB 3 security in Windows 10: the anatomy of signing and cryptographic keys by Edgar Olougouna, who works in our dev support org and is a seriously smart man to be trusted in all things SMB. 

 

As for all these weird ideas we had around signing back in the late 90s - I wasn't around for these decisions but it's ok, you can still blame me if you want. At least I never wore the 1-strap overalls.

 

2021-07-29_19-35-39.jpg

 

Until next time,

 

- Ned "I saw the sign" Pyle

 

30 Comments
Occasional Contributor

Worth mentioning that this can be configured with Intune as well (obviously not the server end) within an "Endpoint protection" configuration policy:

pol.PNG

Senior Member
Frequent Contributor

Thank you Ned for the guidance and open words.

 

Please don't forget that Windows Admin Center in the options at the bottom of the left pane of each Server and Client allow you to configure SMB signing. Also to disable or audit SMB1

Regular Visitor

Will signing mitigation Petit Potam attack?

Microsoft

@Arian van der Pijl yes, there are still performance reductions, signing has a cost. We did introduce a new signing algorithm in WS2022/Windows 11 that increases the performance here significantly https://docs.microsoft.com/windows-server/storage/file-server/smb-security#new-signing-algorithm 

 

@K_Wester-Ebbinghaus great point! I spent a lot of time on that extension and then forgot to mention it :loudly_crying_face::grinning_face_with_sweat:

 

@dkuzmiankou yes SMB signing (or SMB encryption) is a mitigation https://support.microsoft.com/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-cert... 

 

 

Occasional Contributor

Hello Ned,

 

Thanks a lot for the information about this topic. I did a quick check of Microsoft Baseline Security GPOs for servers and workstations, and it looks like they are already updated with the right settings. Nice !

 

A quick question on another topic. I see you are updating "net" tool on a regular basis with new features - like connecting to Azure file shares.

Do you also backport those updates on newer tools like PS cmdlets, Server Manager, GPP for drive mapping ?

 

Regards,

Microsoft

@Alban1999 Hiya. Thanks :). We do typically make the same features and settings appear in SmbShare powershell module and in Windows Admin Center as applicable. Not Server Manager (which isn't under active development anymore) and I don't believe GPP it has active development anymore either. That's a question for them though, I don't own it; I'll see if I can find the owners and ask, it's a good question.

Occasional Contributor

Thanks for the reply. I'm spending a lot of time eradicating those logon scripts to replace them by GPP, I would despair if I had to start recreating them again, 90's style :(

Definitely interested by the response if you manage to get in touch with the corresponding product teams.

Visitor

Is there any logging that can be done (i.e. like the NTLMv1 vs v2 usage that can be detected in event logs) that can be done to detect unsigned NTLM traffic so that we can identify (and hopefully remediate) applications before we roll it out?

Microsoft

@SunshineRay nothing jumps out in my mind. I know we're trace logging it but that's not event log logging that can easily be reviewed. Let me dig on this and get back to you, if we don't have it, it might be worth a feature someday.

Senior Member

Hi,

 

Definitely an informative article to many IT pros looking into SMB signing!

 

The Understanding 'Enabled' table is applicable to 'pre-SMB 2.0.2' on 'Windows Vista/WS08 or higher'. For 'pre-SMB 2.0.2' on 'pre-Windows Vista/WS08' the table is a little bit more complex :)

 

Pre-SMB 2.0.2 on pre-“Windows Vista SP1/WS08”

Server - required

Server - enabled, but not required

Server - disabled

Client - required

Y

Y

-

Client - enabled, but not required

Y *

Y

N **

Client - disabled

-

N

N

Y = yes

N = no

- : connection failed

** default situation, except for *

* default for SMB traffic towards AD DCs

 

Sorry @Ned Pyle, I know you wanted to keep this article simple and didn't want to mention old, dark ogres from the past, but I thought it was useful to still mention this in a comment ;)

 

BTW, do you have already news about GPP drive mapping (see question from @Alban1999) and NTLM (see question from @SunshineRay)?

 

Thanks again for all the useful SMB related posts!

 

With kind regards,

Padre Pedro from WinDoh

 

Regular Visitor

Hi all!

There is any MS Event ID about "signing not work" is exist? I want to track that my clients connect to server without signing - it is possible? 

Microsoft

@dkuzmiankou @SunshineRay Hi - you both had the same question about event log auditing signing occurring or not on server - the answer is no, and I've added this to our roadmap. 

Microsoft

@PadrePedro Howdy :). I don't follow what this means:

 

"The Understanding 'Enabled' table is applicable to 'pre-SMB 2.0.2' on 'Windows Vista/WS08 or higher'. For 'pre-SMB 2.0.2' on 'pre-Windows Vista/WS08' the table is a little bit more complex :)" 

 

You said the same OSes twice.

 

I am working on the GPP issue. We don't implement NTLM but he was asking about signing I think.

 

Senior Member

@Ned Pyle Hi,

 

I haven't said the same OSes twice, although perhaps it seems so at first glance :) The table you've mentioned is definitely correct for older SMB versions ('pre-SMB 2.0.2', as I thought it was valid for SMB 1 and SMB 2.000 (on Vista RTM)), but only on 'Windows Vista/WS08 or higher' (well, actually 'Windows Vista SP1/WS08 or higher' to be more correct).

There is another similar table for the same older SMB versions ('pre-SMB 2.0.2') on Windows versions older than Windows Vista/WS08 (so 'pre-Windows Vista/WS08' or actually to be more precise 'pre-Windows Vista SP1/WS08':( that's the table I've mentioned in my comment (see above). Both tables can also be found at https://docs.microsoft.com/en-us/archive/blogs/josebda/the-basics-of-smb-signing-covering-both-smb1-... yours under 'SMB Signing Effective Behavior', while mine under 'Older SMB1 Signing Behavior'.

Please correct me if I'm wrong.

 

Related to GPP: Alban1999 asked: "Do you also backport those updates on newer tools like PS cmdlets, Server Manager, GPP for drive mapping ?". You answered:

"I don't believe GPP it has active development anymore either. That's a question for them though, I don't own it; I'll see if I can find the owners and ask, it's a good question."

That's why I asked for the state of that question, because I'm interested in the answer as well :)

 

Related to NTLM: yes, I think so too: SunshineRay was probably talking about SMB signing. I was interested as well in knowing if some form of Windows event logging occurs (although I thought this wasn't the case, which seems to be correct according to your last comment).

 

Thanks again for the time you put into clarifying stuff for us!

 

Cheers,

Padre Pedro from WinDoh

 

 

Visitor

Hi All,

 

I was specifically interested in SMB signing. It was highlighted around recent PetitPotam vulnerabilities and we wanted to see if we could enforce SMB signing across the domain with confidence it wouldn't break anything.

 

thanks for the update  @Ned Pyle, we'll just do up the second strap on our overalls and move into the present gently rather than with targeted avoidance. Glad to hear its on the roadmap though.

Microsoft

@PadrePedro Ah, I see what you mean from Jose's old archived post - my article is about Windows 10/later servers. I don't care about XP and Vista, and documenting their unsupported weirdness would be the opposite of an article about clarifying signing behavior where I wanted people to stop asking me to explain signing. :)

 

GPP is being examined but unlikely to be added based on current conversations (it is in maintenance mode, although I'm seeing if I can get an exception). Auditing signing & encryption is being planned for a later date, no ETA I can give. 

 

 

 

 

Senior Member

@Ned Pyle Hi,

I agree :) As I said in my first comment, it's understandable you didn't mention the old behavior as this wasn't the focus of the blog post. I just wanted to mention it for completeness (and to avoid confusion, as many people are still afraid of signing because of the old behavior of possible failed connections).

 

Thanks for putting SMB signing & encryption auditing (i.e. Windows event logging) to the roadmap. This would be awesome for many of us and would definitely lower the bar for some! If 'GPP drive mapping' could get an exception, this would be great as well; thanks for trying to get this done! Mucho apreciado!

 

Ciao!

Padre Pedro from WinDoh

Regular Visitor

@Ned Pyle thanks! No event ID about sign work|not work for server and for client side too? Correct?

I have a project to switch to force packet sign in my corp network and we want (before switch all PC/Server to sign) try to found some hosts that can't use sign.

Senior Member

@dkuzmiankou SMB signing has been introduced with SMB 1.0 (I mean the "SMB 1.0" starting from Windows 2000) and has been backported to CIFS on Windows NT 4.0 SP3 and Windows 98. So if you have an inventory of your environment, you can know which systems can support signing and which can't. Normally every Windows system in your environment should be capable of supporting SMB signing, otherwise you have really, really old and/or corrupted systems in da house :)

 

If you're asking if there's a way to find out if SMB signing has been enabled\required (or not) configuration wise you can check with scripts, ConfigMgr\DCM, etc. etc. What and how exactly depends on what precisely you want (for example, do you want overviews/reporting for this?).

 

If you're asking for Windows events warning you of systems where SMB signing has been configured, but failures occur because of corruptions or whatever (including possible signs of tampering), then you should look at Ned and ask him very politely if he can include such thing in the auditing he has put on the roadmap.

 

Padre Pedro, WinDoh

Regular Visitor

@PadrePedro thanks for answer! But my network has not only Windows file servers - we have a Linux FS, same NAS and etc. Yes, I understand that I will not have any problem with Windows OS family but I try to found any way to research non-windows file server that can not packet sign. I hope that I can analyse windows client audit logs but it not possible. This is bad for me.

Senior Member

@dkuzmiankou Behavior can indeed depend on the specific implementation. I think you have 2 questions:

1) Do you have one or more non-Windows implementations which don't support SMB signing AND will lead to failed connections (because those implementations are coded to do so)? (Here I'm supposing you don't have extremely old Windows versions around, because those can behave with failed connections as well.)

If so, how to identify them?

2) Do you have one or more non-Windows implementations which don't support SMB signing AND will NOT lead to failed connections (but just to SMB connections without signing, so where signing won't be negotiated at the end)?

If so, how to identify them?

 

There is no Windows event logging indicating point 2 situations as far as I know (and according to Ned). If I've understood Ned well this has probably been placed on the roadmap (although I don't know what exactly should be understood under "signing & encryption auditing", so what exactly will be logged when, where, etc.).

 

I think you need to inventorize your (non-Windows) environment and try to do some research, ask on specific forums or open support cases to get help. TBH, I have to do this as well... IMHO The most important part, at least in the beginning, is to avoid point 1 situations, especially for critical connections. So try to prepare this as well as possible and try to test things first if possible (if needed you can try to insert some short test window if your internal procedures allow this).

 

Ciao

Padre Pedro, from WinDoh

 

Occasional Contributor

@PadrePedro I think most IT pros are confident about Windows machines - at least if they are not way too old.

The same old story, however, is every non-Microsoft device out there - Linux, Unix, mainframe, firewalls, appliances, printers etc. etc.

And to audit those is hell. Sometimes, the manufacturer is not even able to respond to your technical queries (if he still exists).

Just like LDAP signing enforcement (or even sometimes SMBv1 deactivation), activating SMB siging enforcement leads most of the time to "everything breaks" followed by "Start RUP plan" (Resume Update Process).

Senior Member

@Alban1999 Yep, I know, I've experienced this myself. Different implementations with different behaviors and supportability, different vendors, different support centers, etc. etc. It's key to build up a phased plan where every step is as safe as possible; and of course to do research and test as much as possible. I know this sounds easy, but in practice it can be a different story.

1 example: MFPs. Different brands, different models, different SMB situations. And then things also depend on the firmware version of those devices. We had to inventorize our MFP environment, update the firmware everywhere (to make everything consistent and up to date anyway, something I was asking for since, well, a very long time, but not everyone understands why this should be done; till now ;-)) and check what the SMB situation is for every model. Sometimes we could use SMB 2/3, but we had 1 model (9 devices) where SMB 1 was the only option left. We plan to disable it anyway, so scan to folder won't be possible anymore soon (admitted, we have a lot of MFPs around, so it's not that bad for us, but I can imagine this isn't always the case elsewhere).

 

Just bear it and try to ease the pain... :(

 

 

Occasional Contributor

Can't really do that on a large scale I think. Actually that would be worth a "How Microsoft IT handle this" post. Have they been able to enforce SMB signing on all their clients and servers ? How ?

 

Anyway, Ned is looking into SMB signing audit and GPP update. Just "looking into" is already very nice of him, considering we got that without a Premier ticket :) Cheers !

Regular Visitor

Hi all! I get a problem with SMB signing and XBOX S. Our developers use SMB share on XBOX (devkit) to get logs, copy builds, etc. When we try to enforce SMB signing on developer laptops he/she can not connect to XBOX SMB share anymore.

Microsoft

@dkuzmiankou you are developing apps and games for xbox, I presume? You will need to talk to your xbox partner support channel if so, they might not be allowing signing in their (very adulterated) version of Windows or, if they are allowing anonymous access, signing wouldn't be possible 

Occasional Visitor

Hi Ned,

 

Any suggestions for Cluster Shared Volumes on a HyperV Failover Cluster Environment?

When enforcing SMB signing via Group Policy (Microsoft network client: Digitally sign communications (always)" and Microsoft network server: Digitally sign communications (always)) the CSV's will be disconnected from the Hyper-V hosts.

 

Thanks,

Joff

Microsoft

@Joffry38 that is totally unexpected, I'd just expect decreased performance (less so in Windows Server 2022). https://docs.microsoft.com/troubleshoot/windows-server/networking/reduced-performance-after-smb-encr... and https://docs.microsoft.com/windows-server/storage/file-server/smb-security . I recommend opening an MS Support case with the cluster folks to investigate this.

Occasional Visitor

Hi Ned,

Thanks for this.

Will reach out to MS Support.

%3CLINGO-SUB%20id%3D%22lingo-sub-2418102%22%20slang%3D%22en-US%22%3EConfigure%20SMB%20Signing%20with%20Confidence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2418102%22%20slang%3D%22en-US%22%3E%3CP%3EHeya%20folks%2C%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2F%40nerdpyle%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ENed%3C%2FA%3E%20here%20again.%20Many%20years%20ago%2C%20we%20made%20configuring%20SMB%20signing%20in%20Windows%20pretty%20complicated.%20Then%2C%20years%20later%2C%20we%20made%20it%20even%20more%20complicated%20in%20an%20attempt%20to%20be%20less%20complicated.%20Today%20I'm%20here%20to%20explain%20the%20SMB%20signing%20rules%20once%20and%20for%20all.%26nbsp%3BProbably.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESign%20me%20up!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--385634358%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%20id%3D%22toc-hId--385635031%22%3EWhat%20is%20signing%20and%20why%20do%20you%20care%3C%2FH2%3E%0A%3CP%3ESMB%20signing%20means%20that%20every%20SMB%203.1.1%20message%20contains%20a%20signature%20generated%20using%20session%20key%20and%20AES.%20The%20client%20puts%20a%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Farchive%2Fblogs%2Fopenspecification%2Fsmb-2-and-smb-3-security-in-windows-10-the-anatomy-of-signing-and-cryptographic-keys%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehash%20of%20the%20entire%20message%3C%2FA%3E%20into%20the%20signature%20field%20of%20the%20SMB2%20header.%26nbsp%3BIf%20anyone%20changes%20the%20message%20itself%20later%20on%20the%20wire%2C%20the%20hash%20won't%20match%20and%20SMB%20knows%20that%20someone%20tampered%20with%20the%20data.%20It%20also%20confirms%20to%20sender%20and%20receiver%20that%20they%20are%20who%20they%20say%20they%20are%2C%20breaking%20relay%20attacks.%20Ideally%2C%20you%20are%20using%20Kerberos%20instead%20of%20NTLMv2%20so%20that%20your%20session%20key%20starts%20strong%3B%20don't%20connect%20to%20shares%20with%20IP%20addresses%20and%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fcore-infrastructure-and-security%2Fusing-computer-name-aliases-in-place-of-dns-cname-records%2Fba-p%2F259064%22%20target%3D%22_self%22%3Edon't%20use%20CNAME%20records%20-%20Kerberos%20is%20here%20to%20help%3C%2FA%3E!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBy%20default%2C%20domain%20controllers%20require%20SMB%20signing%20of%20anyone%20connecting%20to%20them%2C%20typically%20for%20SYSVOL%20and%20NETLOGON%20to%20get%20group%20policy%20and%20those%20sweet%20logon%20scripts.%20Less%20well%20known%20is%20that%20-%20starting%20in%20Windows%2010%20-%20%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2015%2F02%2F10%2Fms15-011-ms15-014-hardening-group-policy%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EUNC%20Hardening%3C%2FA%3E%20from%20the%20client%26nbsp%3B%3CEM%3Ealso%26nbsp%3B%3C%2FEM%3Erequires%20signing%20when%20talking%20to%20those%20same%20two%20shares%20and%20goes%20further%20by%20requiring%20Kerberos%20(it%20technically%20requires%20mutual%20auth%2C%20but%20for%20Windows%2C%20that%20means%20Kerberos).%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESMB%20signing%20first%20appeared%20in%20Windows%202000%2C%20NT%204.0%2C%20and%20Windows%2098%2C%20it's%20old%20enough%20to%20drink.%26nbsp%3BSigning%20algorithms%20have%20evolved%20over%20time%3B%20SMB%202.02%20signing%20was%20improved%20with%20HMAC%20SHA-256%2C%20replacing%20the%20old%20MD5%20method%20from%20the%20late%201990s%20that%20was%20in%20SMB1%20(may%20it%20burn%20in%20Hades%20for%20all%20eternity).%20SMB%203.0%20added%20AES-CMAC.%20In%20Windows%20Server%202022%20and%20Windows%2011%2C%20we%20added%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows-server%2Fstorage%2Ffile-server%2Fsmb-security%23new-signing-algorithm%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAES-128-GMAC%20signing%20acceleration%3C%2FA%3E%2C%20so%20if%20you're%20looking%20for%20the%20best%20performance%20and%20protection%20combo%2C%20start%20planning%20your%20upgrades.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-2101878475%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%20id%3D%22toc-hId-2101877802%22%3EThe%20confusing%20bit%3C%2FH2%3E%0A%3CP%3EThis%2020%2B%20year%20evolutionary%20process%20brings%20me%20to%20the%20confusing%20bit%3A%20%22requiring%22%20versus%20%22enabling%22%20signing%20in%20Windows%20security%20policy.%20We%20have%20four%20settings%20to%20control%20SMB%20signing%2C%26nbsp%3B%3CEM%3Ebut%20they%20behave%20and%20mean%20things%20differently%20with%20SMB2%2B%20and%20SMB1.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EPolicy%3A%20%22Microsoft%20network%20client%3A%20Digitally%20sign%20communications%20(%3CSTRONG%3Ealways%3C%2FSTRONG%3E)%22%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-90px%22%3EHKEY_LOCAL_MACHINE%5CSystem%5CCurrentControlSet%5CServices%5CLanManWorkstation%5CParameters%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-90px%22%3E%3CSTRONG%3ERequire%3C%2FSTRONG%3ESecuritySignature%20%3D%201%20or%200%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-90px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EMicrosoft%20network%20client%3A%20Digitally%20sign%20communications%20(%3CSTRONG%3Eif%20server%20agrees%3C%2FSTRONG%3E)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-90px%22%3EHKEY_LOCAL_MACHINE%5CSystem%5CCurrentControlSet%5CServices%5CLanManWorkstation%5CParameters%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-90px%22%3E%3CSTRONG%3EEnable%3C%2FSTRONG%3ESecuritySignature%20%3D%201%20or%200%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EMicrosoft%20network%20server%3A%20Digitally%20sign%20communications%20(%3CSTRONG%3Ealways%3C%2FSTRONG%3E)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-90px%22%3EHKEY_LOCAL_MACHINE%5CSystem%5CCurrentControlSet%5CServices%5CLanManServer%5CParameters%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-90px%22%3E%3CSTRONG%3ERequire%3C%2FSTRONG%3ESecuritySignature%20%3D%201%20or%200%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EMicrosoft%20network%20server%3A%20Digitally%20sign%20communications%20(%3CSTRONG%3Eif%20client%20agrees%3C%2FSTRONG%3E)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-90px%22%3EHKEY_LOCAL_MACHINE%5CSystem%5CCurrentControlSet%5CServices%5CLanManServer%5CParameters%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-90px%22%3E%3CSTRONG%3EEnable%3C%2FSTRONG%3ESecuritySignature%20%3D%201%20or%200%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENote%20my%20use%20of%20%3CSTRONG%3Ebold%3C%2FSTRONG%3E.%20%22Always%22%20means%20%22%3CEM%3Erequired.%3C%2FEM%3E%22%20%22If%20agrees%22%20means%20%22%3CEM%3Eenabled%3C%2FEM%3E.%22%20If%20I%20could%20go%20back%20in%20time%20and%20find%20out%20who%20decided%20to%20use%20synonyms%20here%20instead%20of%20the%20actual%20words%2C%20it%20would%20be%20my%20next%20stop%20after%20buying%20every%20share%20of%20MSFT%20I%20could%20get%20my%20hands%20on%20in%201986.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThese%20settings%20live%20here%20in%20the%20classic%20Security%20Settings%20of%20computer%20group%20policy%20you'll%20see%20by%20launching%20GPMC.MSC%20or%20GEPEDIT.MSC.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222021-07-29_18-25-55.jpg%22%20style%3D%22width%3A%20902px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F299441i63B18AA11C071CA1%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222021-07-29_18-25-55.jpg%22%20alt%3D%222021-07-29_18-25-55.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20me%20so%20far%3F%20Cool.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-294424012%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%20id%3D%22toc-hId-294423339%22%3EUnderstanding%20'Required'%26nbsp%3B%3C%2FH2%3E%0A%3CP%3EThe%20%E2%80%9Cenabled%E2%80%9D%20registry%20setting%20for%20SMB2%2B%20client%20and%20SMB2%2B%20Server%20is%20%3CEM%3E%3CSTRONG%3Eignored%3C%2FSTRONG%3E%3C%2FEM%3E.%20It%20does%20nothing%20at%20all.%20It%20is%20pointless%20unless%20you%20are%20using%20SMB1.%20SMB2%20signing%20is%20controlled%20solely%20by%20being%20required%20or%20not%2C%20and%20if%20either%20the%20server%20or%20client%20require%20it%2C%20you%20will%20sign.%20Only%20if%20they%26nbsp%3B%3CEM%3Eboth%20%3C%2FEM%3Ehave%20signing%20set%20to%200%20will%20signing%20not%20occur.%20Again%2C%20SMB%20signing%20is%20%3CEM%3Ealways%20enabled%3C%2FEM%3E%20in%20SMB2%2B.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20style%3D%22width%3A%20850px%3B%22%20width%3D%22850%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22242%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22249%22%3E%3CP%3EServer%20%E2%80%93%20%3CSTRONG%3ERequire%3C%2FSTRONG%3ESecuritySignature%3D1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22264%22%3E%3CP%3EServer%20%E2%80%93%20%3CSTRONG%3ERequire%3C%2FSTRONG%3ESecuritySignature%3D0%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22242%22%3E%3CP%3EClient%20%E2%80%93%20%3CSTRONG%3ERequire%3C%2FSTRONG%3ESecuritySignature%3D1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22249%22%3E%3CP%3ESigned%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22264%22%3E%3CP%3ESigned%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22242%22%3E%3CP%3EClient%20%E2%80%93%20%3CSTRONG%3ERequire%3C%2FSTRONG%3ESecuritySignature%3D0%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22249%22%3E%3CP%3ESigned%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22264%22%3E%3CP%3E%3CEM%3ENot%20Signed%20%3C%2FEM%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1513030451%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%20id%3D%22toc-hId--1513031124%22%3EUnderstanding%20'Enabled'%26nbsp%3B%3C%2FH2%3E%0A%3CP%3EThe%20legacy%20SMB1%20client%20that%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fsmb1rs3%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eis%20no%20longer%20installed%20by%20default%20in%20Windows%2010%20or%20Windows%202019%3C%2FA%3E%20commercial%20editions%20had%20a%20more%20complex%20(i.e.%20bad)%20behavior%20based%20on%20the%20na%C3%AFve%20idea%20that%20clients%20and%20servers%20should%20sign%20%3CEM%3Eif%20they%20feel%20like%20it%3C%2FEM%3E%20but%20that%20it%20was%20ok%20not%20to%20sign%20otherwise%2C%20known%20as%20%22enabled%22%2C%20i.e.%20%22if%20agrees%22.%20Signing%20is%20still%20possible%20in%20any%20case%2C%20nothing%20turns%20the%20signing%20code%20off.%20This%20is%20not%20a%20security%20model%20we%20follow%20anymore%20but%20everyone%20was%20wearing%201-strap%20undone%20overalls%20and%20baggy%20windbreakers%20at%20this%20point%20in%20the%2090s%20and%20thinking%20they%20looked%20good.%20SMB1%20also%20had%20the%20%22required%22%20setting%2C%20for%20those%20who%20wanted%20more%20strictness%2C%20and%20that%20will%20override%20the%20%22if%20I%20feel%20like%20it%22%20behavior%20as%20you'd%20hope.%20So%20we%20end%20up%20with%20this%20complex%20matrix.%20Again%2C%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fstopusingsmb1%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eit%20only%20matters%20for%20the%20SMB1%20protocol%20that%20you%20are%20not%20supposed%20to%20be%20using.%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20style%3D%22width%3A%201025px%3B%22%20width%3D%221025%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22245%22%3E%26nbsp%3B%3C%2FTD%3E%0A%3CTD%20width%3D%22246%22%3E%3CP%3EServer%20%E2%80%93%20%3CSTRONG%3ERequire%3C%2FSTRONG%3ESecuritySignature%3D1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22246%22%3E%3CP%3EServer%20%E2%80%93%20%3CSTRONG%3EEnable%3C%2FSTRONG%3ESecuritySignature%3D1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22246%22%3E%3CP%3EServer%20%E2%80%93%20%3CSTRONG%3EEnable%3C%2FSTRONG%3ESecuritySignature%3D0%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22245%22%3E%3CP%3EClient%20%E2%80%93%20%3CSTRONG%3ERequire%3C%2FSTRONG%3ESecuritySignature%3D1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22246%22%3E%3CP%3ESigned%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22246%22%3E%3CP%3ESigned%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22246%22%3E%3CP%3ESigned%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22245%22%3E%3CP%3EClient%20%E2%80%93%20%3CSTRONG%3EEnable%3C%2FSTRONG%3ESecuritySignature%3D1%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22246%22%3E%3CP%3ESigned%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22246%22%3E%3CP%3ESigned%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22246%22%3E%3CP%3E%3CEM%3ENot%20signed%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22245%22%3E%3CP%3EClient%20%E2%80%93%20%3CSTRONG%3EEnable%3C%2FSTRONG%3ESecuritySignature%3D0%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22246%22%3E%3CP%3ESigned%26nbsp%3B%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22246%22%3E%3CP%3E%3CEM%3ENot%20Signed%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22246%22%3E%3CP%3E%3CEM%3ENot%20Signed%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-974482382%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%20id%3D%22toc-hId-974481709%22%3EAnd%20another%20thing%3C%2FH2%3E%0A%3CP%20data-unlink%3D%22true%22%3EThe%20idea%20that%20the%20server%20should%20mandate%20these%20settings%20in%20either%20case%20isn't%20great%20either%3B%20it%20leads%20to%20attacks%20where%20someone%20intercepts%20the%20negotiation%20and%20says%20%22nah%2C%20don't%20sign%2C%20you're%20fine%22.%20Which%20is%20why%20years%20ago%20we%20created%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Farchive%2Fblogs%2Fopenspecification%2Fsmb-3-1-1-pre-authentication-integrity-in-windows-10%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Epre-authentication%20integrity%3C%2FA%3E%20protection%2C%20%3CA%20href%3D%22https%3A%2F%2Fmsrc-blog.microsoft.com%2F2015%2F02%2F10%2Fms15-011-ms15-014-hardening-group-policy%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EUNC%20Hardening%3C%2FA%3E%2C%20and%20added%20the%20ability%20to%20require%20signing%20when%20mapping%20drives%20with%20NET%20USE%20and%20New-SmbMapping.%20All%20of%20this%20client-side%20security%20requirement%20is%20the%20proper%20technique%2C%20where%20the%20client%20decides%20it%20wants%20security%20and%20if%20it%20doesn't%20get%20it%2C%20closes%20the%20connection.%20Requiring%20Kerberos%20by%20disabling%20the%20use%20of%20NTLM%26nbsp%3Band%20enabling%20UNC%20hardening%20will%20make%20things%20much%20more%20secure.%20In%20fact%2C%20I%20have%20a%20long%20article%20on%20all%20of%20this%20you%20should%20read%20once%2C%20then%20five%20times%20more%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fitops-talk-blog%2Fhow-to-defend-users-from-interception-attacks-via-smb-client%2Fba-p%2F1494995%22%20target%3D%22_self%22%3EHow%20to%20Defend%20Users%20from%20Interception%20Attacks%20via%20SMB%20Client%20Defense%3C%2FA%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--832972081%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%20id%3D%22toc-hId--832972754%22%3EThe%20big%20sum%20up%3C%2FH2%3E%0A%3CP%3EIf%20you%20really%2C%26nbsp%3B%3CEM%3Ereally%3C%2FEM%3E%20want%20to%20understand%20SMB%20signing%2C%20the%20article%20to%20read%20is%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Farchive%2Fblogs%2Fopenspecification%2Fsmb-2-and-smb-3-security-in-windows-10-the-anatomy-of-signing-and-cryptographic-keys%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ESMB%202%20and%20SMB%203%20security%20in%20Windows%2010%3A%20the%20anatomy%20of%20signing%20and%20cryptographic%20keys%3C%2FA%3E%20by%20Edgar%20Olougouna%2C%20who%20works%20in%20our%20dev%20support%20org%20and%20is%20a%20seriously%20smart%20man%20to%20be%20trusted%20in%20all%20things%20SMB.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20for%20all%20these%20weird%20ideas%20we%20had%20around%20signing%20back%20in%20the%20late%2090s%20-%20I%20wasn't%20around%20for%20these%20decisions%20but%20it's%20ok%2C%20you%20can%20still%20blame%20me%20if%20you%20want.%20At%20least%20I%20never%20wore%20the%201-strap%20overalls.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222021-07-29_19-35-39.jpg%22%20style%3D%22width%3A%20784px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F299466iB025134C06F97F24%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222021-07-29_19-35-39.jpg%22%20alt%3D%222021-07-29_19-35-39.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUntil%20next%20time%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-%20Ned%20%22I%20saw%20the%20sign%22%20Pyle%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2418102%22%20slang%3D%22en-US%22%3E%3CP%3EUnravel%20the%20mysteries%20of%20SMB%20signing%20with%20ease.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2638188%22%20slang%3D%22en-US%22%3ERe%3A%20Configure%20SMB%20Signing%20with%20Confidence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2638188%22%20slang%3D%22en-US%22%3E%3CP%3EWorth%20mentioning%20that%20this%20can%20be%20configured%20with%20Intune%20as%20well%20(obviously%20not%20the%20server%20end)%20within%20an%20%22Endpoint%20protection%22%20configuration%20policy%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22pol.PNG%22%20style%3D%22width%3A%20733px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F302567iBC2137FFBFDED3D0%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22pol.PNG%22%20alt%3D%22pol.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2640319%22%20slang%3D%22en-US%22%3ERe%3A%20Configure%20SMB%20Signing%20with%20Confidence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2640319%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20(still%3F)%20any%20performance%20hit%20when%20enabling%20any%20of%20this%3F%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fnetworking%2Freduced-performance-after-smb-encryption-signing%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EReduced%20performance%20after%20SMB%20Encryption%20or%20SMB%20Signing%20is%20enabled%20-%20Windows%20Server%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2651527%22%20slang%3D%22en-US%22%3ERe%3A%20Configure%20SMB%20Signing%20with%20Confidence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2651527%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20Ned%20for%20the%20guidance%20and%20open%20words.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20don't%20forget%20that%20Windows%20Admin%20Center%20in%20the%20options%20at%20the%20bottom%20of%20the%20left%20pane%20of%20each%20Server%20and%20Client%20allow%20you%20to%20configure%20SMB%20signing.%20Also%20to%20disable%20or%20audit%20SMB1%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2655344%22%20slang%3D%22en-US%22%3ERe%3A%20Configure%20SMB%20Signing%20with%20Confidence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2655344%22%20slang%3D%22en-US%22%3E%3CP%3EWill%20signing%20mitigation%20Petit%20Potam%20attack%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2658138%22%20slang%3D%22en-US%22%3ERe%3A%20Configure%20SMB%20Signing%20with%20Confidence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2658138%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F126906%22%20target%3D%22_blank%22%3E%40Arian%20van%20der%20Pijl%3C%2FA%3E%26nbsp%3Byes%2C%20there%20are%20still%20performance%20reductions%2C%20signing%20has%20a%20cost.%20We%20did%20introduce%20a%20new%20signing%20algorithm%20in%20WS2022%2FWindows%2011%20that%20increases%20the%20performance%20here%20significantly%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows-server%2Fstorage%2Ffile-server%2Fsmb-security%23new-signing-algorithm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fwindows-server%2Fstorage%2Ffile-server%2Fsmb-security%23new-signing-algorithm%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F289393%22%20target%3D%22_blank%22%3E%40K_Wester-Ebbinghaus%3C%2FA%3E%26nbsp%3Bgreat%20point!%20I%20spent%20a%20lot%20of%20time%20on%20that%20extension%20and%20then%20forgot%20to%20mention%20it%20%3Aloudly_crying_face%3A%3Agrinning_face_with_sweat%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1130218%22%20target%3D%22_blank%22%3E%40dkuzmiankou%3C%2FA%3E%26nbsp%3Byes%20SMB%20signing%20(or%20SMB%20encryption)%20is%20a%20mitigation%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-gb%2Ftopic%2Fkb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Ftopic%2Fkb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2686806%22%20slang%3D%22en-US%22%3ERe%3A%20Configure%20SMB%20Signing%20with%20Confidence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2686806%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Ned%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20a%20lot%20for%20the%20information%20about%20this%20topic.%20I%20did%20a%20quick%20check%20of%20Microsoft%20Baseline%20Security%20GPOs%20for%20servers%20and%20workstations%2C%20and%20it%20looks%20like%20they%20are%20already%20updated%20with%20the%20right%20settings.%20Nice%20!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20quick%20question%20on%20another%20topic.%20I%20see%20you%20are%20updating%20%22net%22%20tool%20on%20a%20regular%20basis%20with%20new%20features%20-%20like%20connecting%20to%20Azure%20file%20shares.%3C%2FP%3E%3CP%3EDo%20you%20also%20backport%20those%20updates%20on%20newer%20tools%20like%20PS%20cmdlets%2C%20Server%20Manager%2C%20GPP%20for%20drive%20mapping%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2688843%22%20slang%3D%22en-US%22%3ERe%3A%20Configure%20SMB%20Signing%20with%20Confidence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2688843%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F431722%22%20target%3D%22_blank%22%3E%40Alban1999%3C%2FA%3E%26nbsp%3BHiya.%20Thanks%20%3A).%20We%20do%20typically%20make%20the%20same%20features%20and%20settings%20appear%20in%20SmbShare%20powershell%20module%20and%20in%20Windows%20Admin%20Center%20as%20applicable.%20Not%20Server%20Manager%20(which%20isn't%20under%20active%20development%20anymore)%20and%20I%20don't%20believe%20GPP%20it%20has%20active%20development%20anymore%20either.%20That's%20a%20question%20for%20them%20though%2C%20I%20don't%20own%20it%3B%20I'll%20see%20if%20I%20can%20find%20the%20owners%20and%20ask%2C%20it's%20a%20good%20question.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2688978%22%20slang%3D%22en-US%22%3ERe%3A%20Configure%20SMB%20Signing%20with%20Confidence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2688978%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20reply.%20I'm%20spending%20a%20lot%20of%20time%20eradicating%20those%20logon%20scripts%20to%20replace%20them%20by%20GPP%2C%20I%20would%20despair%20if%20I%20had%20to%20start%20recreating%20them%20again%2C%2090's%20style%20%3A(%3C%2Fimg%3E%3C%2FP%3E%3CP%3EDefinitely%20interested%20by%20the%20response%20if%20you%20manage%20to%20get%20in%20touch%20with%20the%20corresponding%20product%20teams.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2744674%22%20slang%3D%22en-US%22%3ERe%3A%20Configure%20SMB%20Signing%20with%20Confidence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2744674%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20any%20logging%20that%20can%20be%20done%20(i.e.%20like%20the%20NTLMv1%20vs%20v2%20usage%20that%20can%20be%20detected%20in%20event%20logs)%20that%20can%20be%20done%20to%20detect%20unsigned%20NTLM%20traffic%20so%20that%20we%20can%20identify%20(and%20hopefully%20remediate)%20applications%20before%20we%20roll%20it%20out%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2754672%22%20slang%3D%22en-US%22%3ERe%3A%20Configure%20SMB%20Signing%20with%20Confidence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2754672%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1153943%22%20target%3D%22_blank%22%3E%40SunshineRay%3C%2FA%3E%26nbsp%3Bnothing%20jumps%20out%20in%20my%20mind.%20I%20know%20we're%20trace%20logging%20it%20but%20that's%20not%20event%20log%20logging%20that%20can%20easily%20be%20reviewed.%20Let%20me%20dig%20on%20this%20and%20get%20back%20to%20you%2C%20if%20we%20don't%20have%20it%2C%20it%20might%20be%20worth%20a%20feature%20someday.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2788140%22%20slang%3D%22en-US%22%3ERe%3A%20Configure%20SMB%20Signing%20with%20Confidence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2788140%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDefinitely%20an%20informative%20article%20to%20many%20IT%20pros%20looking%20into%20SMB%20signing!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Understanding%20'Enabled'%20table%20is%20applicable%20to%20'pre-SMB%202.0.2'%20on%20'Windows%20Vista%2FWS08%20or%20higher'.%20For%26nbsp%3B'pre-SMB%202.0.2'%20on%20'pre-Windows%20Vista%2FWS08'%20the%20table%20is%20a%20little%20bit%20more%20complex%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%20width%3D%22154%22%3E%3CP%3E%3CSTRONG%3EPre-SMB%202.0.2%20on%20pre-%E2%80%9CWindows%20Vista%20SP1%2FWS08%E2%80%9D%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22154%22%3E%3CP%3E%3CSTRONG%3EServer%20-%20required%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22154%22%3E%3CP%3E%3CSTRONG%3EServer%20-%20enabled%2C%20but%20not%20required%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22154%22%3E%3CP%3E%3CSTRONG%3EServer%20-%20disabled%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22154%22%3E%3CP%3E%3CSTRONG%3EClient%20-%20required%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22154%22%3E%3CP%3EY%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22154%22%3E%3CP%3EY%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22154%22%3E%3CP%3E-%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22154%22%3E%3CP%3E%3CSTRONG%3EClient%20-%20enabled%2C%20but%20not%20required%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22154%22%3E%3CP%3EY%20*%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22154%22%3E%3CP%3EY%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22154%22%3E%3CP%3EN%20**%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22154%22%3E%3CP%3E%3CSTRONG%3EClient%20-%20disabled%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22154%22%3E%3CP%3E-%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22154%22%3E%3CP%3EN%3C%2FP%3E%3C%2FTD%3E%3CTD%20width%3D%22154%22%3E%3CP%3EN%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3EY%20%3D%20yes%3C%2FP%3E%3CP%3EN%20%3D%20no%3C%2FP%3E%3CP%3E-%20%3A%20connection%20failed%3C%2FP%3E%3CP%3E**%20default%20situation%2C%20except%20for%20*%3C%2FP%3E%3CP%3E*%20default%20for%20SMB%20traffic%20towards%20AD%20DCs%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F52778%22%20target%3D%22_blank%22%3E%40Ned%20Pyle%3C%2FA%3E%2C%20I%20know%20you%20wanted%20to%20keep%20this%20article%20simple%20and%20didn't%20want%20to%20mention%20old%2C%20dark%20ogres%20from%20the%20past%2C%20but%20I%20thought%20it%20was%20useful%20to%20still%20mention%20this%20in%20a%20comment%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBTW%2C%20do%20you%20have%20already%20news%20about%20GPP%20drive%20mapping%20(see%20question%20from%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F431722%22%20target%3D%22_blank%22%3E%40Alban1999%3C%2FA%3E)%20and%20NTLM%20(see%20question%20from%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1153943%22%20target%3D%22_blank%22%3E%40SunshineRay%3C%2FA%3E)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%20for%20all%20the%20useful%20SMB%20related%20posts!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20kind%20regards%2C%3C%2FP%3E%3CP%3EPadre%20Pedro%20from%20WinDoh%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2788707%22%20slang%3D%22en-US%22%3ERe%3A%20Configure%20SMB%20Signing%20with%20Confidence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2788707%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all!%3C%2FP%3E%3CP%3EThere%20is%20any%20MS%20Event%20ID%20about%20%22signing%20not%20work%22%20is%20exist%3F%20I%20want%20to%20track%20that%20my%20clients%20connect%20to%20server%20without%20signing%20-%20it%20is%20possible%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2789447%22%20slang%3D%22en-US%22%3ERe%3A%20Configure%20SMB%20Signing%20with%20Confidence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2789447%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1130218%22%20target%3D%22_blank%22%3E%40dkuzmiankou%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1153943%22%20target%3D%22_blank%22%3E%40SunshineRay%3C%2FA%3E%26nbsp%3BHi%20-%20you%20both%20had%20the%20same%20question%20about%20event%20log%20auditing%20signing%20occurring%20or%20not%20on%20server%20-%20the%20answer%20is%20no%2C%20and%20I've%20added%20this%20to%20our%20roadmap.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2789550%22%20slang%3D%22en-US%22%3ERe%3A%20Configure%20SMB%20Signing%20with%20Confidence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2789550%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F192462%22%20target%3D%22_blank%22%3E%40PadrePedro%3C%2FA%3E%26nbsp%3BHowdy%20%3A).%20I%20don't%20follow%20what%20this%20means%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CEM%3E%22The%20Understanding%20'Enabled'%20table%20is%20applicable%20to%20'pre-SMB%202.0.2'%20on%20'Windows%20Vista%2FWS08%20or%20higher'.%20For%26nbsp%3B'pre-SMB%202.0.2'%20on%20'pre-Windows%20Vista%2FWS08'%20the%20table%20is%20a%20little%20bit%20more%20complex%20%3A)%22%3C%2FEM%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20said%20the%20same%20OSes%20twice.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EI%20am%20working%20on%20the%20GPP%20issue.%20We%20don't%20implement%20NTLM%20but%20he%20was%20asking%20about%20signing%20I%20think.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2789610%22%20slang%3D%22en-US%22%3ERe%3A%20Configure%20SMB%20Signing%20with%20Confidence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2789610%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F52778%22%20target%3D%22_blank%22%3E%40Ned%20Pyle%3C%2FA%3E%26nbsp%3BHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20haven't%20said%20the%20same%20OSes%20twice%2C%20although%20perhaps%20it%20seems%20so%20at%20first%20glance%20%3A)%3C%2Fimg%3E%20The%20table%20you've%20mentioned%20is%20definitely%20correct%20for%20older%20SMB%20versions%20('pre-SMB%202.0.2'%2C%20as%20I%20thought%20it%20was%20valid%20for%20SMB%201%20and%20SMB%202.000%20(on%20Vista%20RTM))%2C%20but%20only%20on%20'Windows%20Vista%2FWS08%20or%20higher'%20(well%2C%20actually%20'Windows%20Vista%20SP1%2FWS08%20or%20higher'%20to%20be%20more%20correct).%3C%2FP%3E%3CP%3EThere%20is%20another%20similar%20table%20for%20the%20same%20older%20SMB%20versions%20('pre-SMB%202.0.2')%20on%20Windows%20versions%20older%20than%20Windows%20Vista%2FWS08%20(so%20'%3CEM%3Epre-Windows%20Vista%2FWS08'%3C%2FEM%3E%20or%20actually%20to%20be%20more%20precise%20'%3CEM%3E%3CSTRONG%3Epre%3C%2FSTRONG%3E-Windows%20Vista%20SP1%2FWS08'%3C%2FEM%3E%3A(%3C%2Fimg%3E%20that's%20the%20table%20I've%20mentioned%20in%20my%20comment%20(see%20above).%20Both%20tables%20can%20also%20be%20found%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Farchive%2Fblogs%2Fjosebda%2Fthe-basics-of-smb-signing-covering-both-smb1-and-smb2%3A%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Farchive%2Fblogs%2Fjosebda%2Fthe-basics-of-smb-signing-covering-both-smb1-and-smb2%3A%3C%2FA%3E%26nbsp%3Byours%20under%20'SMB%20Signing%20Effective%20Behavior'%2C%20while%20mine%20under%20'Older%20SMB1%20Signing%20Behavior'.%3C%2FP%3E%3CP%3EPlease%20correct%20me%20if%20I'm%20wrong.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERelated%20to%20GPP%3A%20Alban1999%20asked%3A%20%22%3CSPAN%3EDo%20you%20also%20backport%20those%20updates%20on%20newer%20tools%20like%20PS%20cmdlets%2C%20Server%20Manager%2C%20GPP%20for%20drive%20mapping%20%3F%22.%20You%20answered%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%22I%20don't%20believe%20GPP%20it%20has%20active%20development%20anymore%20either.%20That's%20a%20question%20for%20them%20though%2C%20I%20don't%20own%20it%3B%20I'll%20see%20if%20I%20can%20find%20the%20owners%20and%20ask%2C%20it's%20a%20good%20question.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThat's%20why%20I%20asked%20for%20the%20state%20of%20that%20question%2C%20because%20I'm%20interested%20in%20the%20answer%20as%20well%20%3A)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ERelated%20to%20NTLM%3A%20yes%2C%20I%20think%20so%20too%3A%20SunshineRay%20was%20probably%20talking%20about%20SMB%20signing.%20I%20was%20interested%20as%20well%20in%20knowing%20if%20some%20form%20of%20Windows%20event%20logging%20occurs%20(although%20I%20thought%20this%20wasn't%20the%20case%2C%20which%20seems%20to%20be%20correct%20according%20to%20your%20last%20comment).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20again%20for%20the%20time%20you%20put%20into%20clarifying%20stuff%20for%20us!%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ECheers%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EPadre%20Pedro%20from%20WinDoh%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2790236%22%20slang%3D%22en-US%22%3ERe%3A%20Configure%20SMB%20Signing%20with%20Confidence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2790236%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20specifically%20interested%20in%20SMB%20signing.%20It%20was%20highlighted%20around%20recent%20PetitPotam%20vulnerabilities%20and%20we%20wanted%20to%20see%20if%20we%20could%20enforce%20SMB%20signing%20across%20the%20domain%20with%20confidence%20it%20wouldn't%20break%20anything.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%20for%20the%20update%20%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F52778%22%20target%3D%22_blank%22%3E%40Ned%20Pyle%3C%2FA%3E%2C%20we'll%20just%20do%20up%20the%20second%20strap%20on%20our%20overalls%20and%20move%20into%20the%20present%20gently%20rather%20than%20with%20targeted%20avoidance.%20Glad%20to%20hear%20its%20on%20the%20roadmap%20though.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2790377%22%20slang%3D%22en-US%22%3ERe%3A%20Configure%20SMB%20Signing%20with%20Confidence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2790377%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F192462%22%20target%3D%22_blank%22%3E%40PadrePedro%3C%2FA%3E%26nbsp%3BAh%2C%20I%20see%20what%20you%20mean%20from%20Jose's%20old%20archived%20post%20-%20my%20article%20is%20about%20Windows%2010%2Flater%20servers.%20I%20don't%20care%20about%20XP%20and%20Vista%2C%20and%20documenting%20their%20unsupported%20weirdness%20would%20be%20the%20opposite%20of%20an%20article%20about%20clarifying%20signing%20behavior%20where%20I%20wanted%20people%20to%20stop%20asking%20me%20to%20explain%20signing.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGPP%20is%20being%20examined%20but%20unlikely%20to%20be%20added%20based%20on%20current%20conversations%20(it%20is%20in%20maintenance%20mode%2C%20although%20I'm%20seeing%20if%20I%20can%20get%20an%20exception).%20Auditing%20signing%20%26amp%3B%20encryption%20is%20being%20planned%20for%20a%20later%20date%2C%20no%20ETA%20I%20can%20give.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Aug 04 2021 11:33 AM
Updated by:
www.000webhost.com