A blog by Jose Barreto, a member of the File Server team at Microsoft.
All messages posted to this blog are provided "AS IS" with no warranties, and confer no rights.
Information on unreleased products are subject to change without notice.
Dates related to unreleased products are estimates and are subject to change without notice.
The content of this site are personal opinions and might not represent the Microsoft Corporation view.
The information contained in this blog represents my view on the issues discussed as of the date of publication.
You should not consider older, out-of-date posts to reflect my current thoughts and opinions.
© Copyright 2004-2012 by Jose Barreto. All rights reserved.
Follow @josebarreto on Twitter for updates on new blog posts.
SMB Signing Overview
Server Message Block (SMB) is the file protocol most commonly used by Windows. SMB Signing is a feature through which communications using SMB can be digitally signed at the packet level. Digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity. This security mechanism in the SMB protocol helps avoid issues like tampering of packets and “man in the middle” attacks.
SMB signing is available in all currently supported versions of Windows, but it’s only enabled by default on Domain Controllers. This is recommended for Domain Controllers because SMB is the protocol used by clients to download Group Policy information. SMB signing provides a way to ensure that the client is receiving genuine Group Policy.
SMB signing was introduced in Windows 2000 (at the time it was also ported back to Microsoft Windows NT 4.0 and Microsoft Windows 98). With the introduction of SMB2 in Windows Vista and Windows Server 2008, signing was improved by using a new hashing algorithm (HMAC SHA-256 replaced the old MD5). At that time, the settings were updated to simplify configuration and interoperability (you can find details later in the post). Another important improvement in SMB2 signing is performance. In SMB1, enabling signing significantly decreases performance, especially when going across a WAN. In SMB2, there is almost no measurable degradation in performance, although there is still a higher CPU load.
SMB1 Signing Configuration and Defaults
There are two main ways to configure signing for SMB1 clients and SMB1 servers. The easier one is set a Group Policy to configure it. This is, for instance, how domain controllers are configured by default to require signing. The other way to do it is using registry settings. On each side (SMB1 client and SMB1 server), SMB1 Signing can be set to be “Required”, “Enabled” or “Disabled”.
Here’s a summary of the SMB1 Client signing settings:
Here’s a summary of SMB1 Server signing settings:
* The default setting for signing on SMB1 Clients is “Enabled”. ** The default setting for signing on SMB1 Servers is “Disabled”. *** The default setting for signing on Domain Controllers (defined via Group Policy) is “Required”.
The Group Policy settings are found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. Client registry keys are stored under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation\Parameters. Server registry keys are stored under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters. All registry keys are of type DWORD.
SMB2 Signing Configuration and Defaults
SMB2 simplified this configuration by having only one setting: whether signing was required or not. This can be configured via Group Policy or registry setting, on SMB2 clients and SMB2 servers. On each side, signing can be set to be “Required” or “Not Required”.
Here’s a summary of the SMB2 client and SMB2 server signing settings:
* The default setting for signing on a Domain Controller (defined via Group Policy) is “Required”. ** The default setting for signing on SMB2 Servers and SMB Clients is “Not Required”.
The Group Policy setting is found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. Client registry key is stored under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation\Parameters. Server registry key is stored under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters. All registry keys are of type DWORD.
SMB Signing Effective Behavior
There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used.
Here’s a summary of the effective behavior for SMB2:
Here’s a summary of the effective behavior for SMB1 in current versions of Windows:
* Default for Domain Controller SMB traffic. ** Default for all other SMB traffic.
Older SMB1 Signing Behavior
A common source of confusion around SMB1 signing is the fact that older versions of Windows had a different signing behavior. That behavior was changed in 2008 to match the behavior of Windows Server 2008 and Windows Vista as documented at http://support.microsoft.com/kb/950876. Here’s a summary of the effective behavior for early versions of Windows Server 2003 and Windows XP (or older):
* Default for Domain Controller SMB1 traffic. ** Default for all other SMB1 traffic.
If you have an old SMB1 server or old SMB1 client, you should have it patched or updated to remove the possibility of failures to connect in a misconfigured environment.
Changing the SMB signing behavior
In general, it is recommended that you keep the default SMB signing settings. However, customers sometimes want to reconfigure SMB signing in specific situations. For instance, the customer could have the need to:
If you decide that you must change the SMB signing settings, the recommendation is to use the “Digitally sign communications (always)” Group Policy setting. If you cannot do it via Group Policy, you could use the “RequireSecuritySignature” registry setting.
IMPORTANT: We no longer recommend using “Digitally sign communications (if client agrees)” or “Digitally sign communications (if server agrees)” Group Policy settings. We also no longer recommend using the “EnableSecuritySignature” registry settings. These options, which only affect the SMB1 behavior, can be effectively replaced by the “Digitally sign communications (always)” Group Policy setting or the “RequireSecuritySignature” registry setting.
Here are a few Knowledge Base articles (support) and TechNet articles that provide additional details on SMB signing. Please be careful interpreting these references, since some of them refer to the older SMB1 behavior.
P.S.: A quick note on SMB3
While there are changes in the crypto used in SMB3 for signing (SMB3 uses AES-CMAC for signing instead of HMAC SHA-256 in SMB2), the overall SMB2 behavior described in this blog also applies to SMB3.
Introduction The File Server team often talks to customers about file server migration and file server
Everything here also applies to Windows 8. These features were first available in the Windows Server