Jesper's Blog

Obligatory file photo: I am a Senior Security Strategist in the Security Technology Unit at Microsoft. My job is to explain to our customers how to run Microsoft products securely, and to the extent that it is needed, help the product groups figu

Blogs

Exceptions to the rule - When you may WANT to turn off SMB message signing

  • Comments 10
  • Likes

Being a security guy I see the world in black and white. People are either good or bad. Technical security means are either secure or not. We are either underpaid, or we are in marketing.

No, seriously, nothing is that black and white. Take SMB Message Signing for instance. Obviously it provides some serious security value, if you are subject to man in the middle attacks on your SMB network, have potentially hostile people luring you to go to malicious SMB servers (and haven't patched your systems for a while). Requiring SMB message signing on your clients is an absolute must if you have not installed XP SP2 yet, and you can't block outbound SMB from your network. At the same time, SMB message signing may sink performance into the toilet. When you turn on SMB message signing transfers get serialized. Packet 1 must arrive and be acknowledged before packet 2 gets sent, and so on.

By default, SMB Message Signing is done only between clients and DCs by default. That is fine in most situations. DCs are not very big file servers. Sure, they serve group policy files, but those are tiny in the scheme of things. There are exceptions though, and one the Small Business Server crowd is intimately familar with. SBS servers are DCs, and file servers, and print servers, and application servers, and web servers, and they probably make toast, change your oil, and book complicated airline tickets for you too. If you use an SBS server as a massive file server, you may want to consider turning off SMB message signing. In playing with this tonight I found transfer times on a large (5.5GB) file transfer go from 54 minutes with SMB message signing turned on to 22 minutes without. There are absolutely situations where it is worth turning it off. The SBS community has known this for a while: http://www.smallbizserver.net/Default.aspx?tabid=139.

What is the risk in doing so? Well, you would open yourself up to man-in-the-middle attacks, replayed SMB messages, and a host of other evil - many of which may be as likely in a small business as finding front office personnel that claim they are actually computer experts! Don't get me wrong. SMB message signing is general security goodness. However, if you have to use your DC as a file server, and you have a very low likelihood of having people inside your network use man in the middle tricks, then the mitigation may be worse than the risk. This is just one more situation where one size security does not fit all.

That is the measure of when you should turn off the security - when the mitigation is more painful than the risk you are trying to mitigate.

Comments
  • Interestingly, the execption doesn't prove the rule -- it's disproves it!

  • Would it be possible to monitor for man in the middle attacks if you are in the situation where you need to disable signing?

  • Actually, to be really pedantic, this exception does prove the rule. The original meaning of the word 'prove' was not to determine beyond all doubt, but to test. This old meaning is evident in the phrase 'proving ground'; a place where something is tested.

  • Well, if you are vigilant about EVERYTHING you click on, then I suppose you would be less likely to fall for an SMB reflection attack. Monitoring for standard man in the middle attacks is really hard though. It really would require you to have extremely good control over what traffic and devices are on your network. With all trusted users and 802.1x, on a wireless network, you are in pretty good shape. Beyond that, this is one of those questions I do not think is answered yet.

  • Stupid question alert...

    Has there been a proven intrusion, network takeover, 'owned' box with merely a "man in the middle attack?

    Don't we have a ton of other fun stuff to throw at a network before we get to that one?

  • Well, MITM attacks are kind of boring, because you have to wait until they trigger. However, to answer the question, yes. I have used it during penetration testing. I have also used the SMB reflection attack, but only in testing scenarios. I have heard of real ones where it has been used though. Keep in mind though that the SMB Reflection attack is already broken in XP SP2 and higher.

  • Jesper,

    GREAT article & your articles on SMB Signing are a great resource for explaining what SMB Signing actually IS and ISN'T!  In particular, for customers who might think enabling SMBSigning for everything is a 'good idea' (aka how to shoot your yourself in the foot).

    I'm just wondering if any of the behaviour (i.e. Only SMB Signing for communication to DCs being enabled by default [to protect GPO downloads]) will change with the Vista client(which I believe should launch in November) or with Longhorn server.  From my reading on the current Tech. Preview, the behavior of the Vista client remains the same as with XP.

    It's funny how so many people get freaked out about SMB Signing (and how little they know about it!)

    All the best,

    CG
    Win 2003 MCSE

  • Just to continue the pedantry: most people (including Dan Halford, above) misunderstand the expression, "the exception proves the rule." What this phrase means is that, since an exception exists, there must be a rule. Or, alternately, if there were no rule, no exception would be needed. This meaning goes back a long, long way (see http://alt-usage-english.org/excerpts/fxtheexc.html).

  • Server Message Block communication between a client-side SMB component and a server-side SMB component...

  • PingBack from http://www.keyongtech.com/4182452-optimizing-ntfs-performance

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment