SMB signing (also known as security signatures) is a security mechanism in the SMB protocol. SMB signing means that every SMB message contains a signature that is generated by using the session key. The client puts a hash of the entire message into the signature field of the SMB header.
SMB signing first appeared in Microsoft Windows 2000, Microsoft Windows NT 4.0, and Microsoft Windows 98. Signing algorithms have evolved over time. SMB 2.02 signing was improved by the introduction of hash-based message authentication code (HMAC) SHA-256, replacing the old MD5 method from the late 1990s that was used in SMB1. SMB 3.0 added AES-CMAC algorithms. In Windows Server 2022 and Windows 11, we added AES-128-GMAC signing acceleration. If you want the best performance and protection combination, consider upgrading to the latest Windows versions.
How SMB signing protects the connection
If someone changes a message during transmission, the hash won’t match, and SMB will know that someone tampered with the data. The signature also confirms the sender’s and receiver’s identities. This prevents relay attacks. Ideally, you are using Kerberos instead of NTLMv2 so that your session key starts strong. Don’t connect to shares by using IP addresses and don’t use CNAME records, or you will use NTLM instead of Kerberos. Use Kerberos instead. See Using Computer Name Aliases in place of DNS CNAME Records for more information.
Policy locations for SMB signing
The policies for SMB signing are located in Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
- Microsoft network client: Digitally sign communications (always)
Registry key:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters
Registry value: RequireSecuritySignature
Data Type: REG_DWORD
Data: 0 (disable), 1 (enable) - Microsoft network client: Digitally sign communications (if server agrees)
Registry key:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters
Registry value: EnableSecuritySignature
Data Type: REG_DWORD
Data: 0 (disable), 1 (enable) - Microsoft network server: Digitally sign communications (always)
Registry key:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters
Registry value: RequireSecuritySignature
Data Type: REG_DWORD
Data: 0 (disable), 1 (enable) - Microsoft network server: Digitally sign communications (if client agrees)
Registry key:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters
Registry value: EnableSecuritySignature
Data Type: REG_DWORD
Data: 0 (disable), 1 (enable)
Note In these policies, “always” indicates that SMB signing is required, and “if server agrees” or “if client agrees” indicates that SMB signing is enabled.
Understanding “RequireSecuritySignature” and “EnableSecuritySignature”
The EnableSecuritySignature registry setting for SMB2+ client and SMB2+ server is ignored. Therefore, this setting does nothing unless you’re using SMB1. SMB 2.02 and later signing is controlled solely by being required or not. This setting is used when either the server or client requires SMB signing. Only if both have signing set to 0 will signing not occur.
– | Server – RequireSecuritySignature=1 | Server – RequireSecuritySignature=0 |
---|---|---|
Client – RequireSecuritySignature=1 | Signed | Signed |
Client – RequireSecuritySignature=0 | Signed | Not signed |
Ref:
https://www.itprotoday.com/security/how-do-i-enable-smb-signing#close-modal