Exceptions to the rule - When you may WANT to turn off SMB message signing

re: Exceptions to the rule - When you may WANT to turn off SMB message signing

Blake Handler — Wed, 23 Nov 2005 08:21:34 GMT

Interestingly, the execption doesn't prove the rule -- it's disproves it!

re: Exceptions to the rule - When you may WANT to turn off SMB message signing

wim — Wed, 23 Nov 2005 10:17:56 GMT

Would it be possible to monitor for man in the middle attacks if you are in the situation where you need to disable signing?

re: Exceptions to the rule - When you may WANT to turn off SMB message signing

Dan Halford — Wed, 23 Nov 2005 23:58:00 GMT

Actually, to be really pedantic, this exception does prove the rule. The original meaning of the word 'prove' was not to determine beyond all doubt, but to test. This old meaning is evident in the phrase 'proving ground'; a place where something is tested.

re: Exceptions to the rule - When you may WANT to turn off SMB message signing

jesper — Wed, 23 Nov 2005 23:58:23 GMT

Well, if you are vigilant about EVERYTHING you click on, then I suppose you would be less likely to fall for an SMB reflection attack. Monitoring for standard man in the middle attacks is really hard though. It really would require you to have extremely good control over what traffic and devices are on your network. With all trusted users and 802.1x, on a wireless network, you are in pretty good shape. Beyond that, this is one of those questions I do not think is answered yet.

re: Exceptions to the rule - When you may WANT to turn off SMB message signing

Susan — Thu, 24 Nov 2005 22:42:40 GMT

Stupid question alert...

Has there been a proven intrusion, network takeover, 'owned' box with merely a "man in the middle attack?

Don't we have a ton of other fun stuff to throw at a network before we get to that one?

re: Exceptions to the rule - When you may WANT to turn off SMB message signing

jesper — Thu, 24 Nov 2005 23:29:06 GMT

Well, MITM attacks are kind of boring, because you have to wait until they trigger. However, to answer the question, yes. I have used it during penetration testing. I have also used the SMB reflection attack, but only in testing scenarios. I have heard of real ones where it has been used though. Keep in mind though that the SMB Reflection attack is already broken in XP SP2 and higher.

re: Exceptions to the rule - When you may WANT to turn off SMB message signing

Chris Gale — Tue, 28 Mar 2006 10:42:33 GMT

Jesper,

GREAT article & your articles on SMB Signing are a great resource for explaining what SMB Signing actually IS and ISN'T! In particular, for customers who might think enabling SMBSigning for everything is a 'good idea' (aka how to shoot your yourself in the foot).

I'm just wondering if any of the behaviour (i.e. Only SMB Signing for communication to DCs being enabled by default [to protect GPO downloads]) will change with the Vista client(which I believe should launch in November) or with Longhorn server. From my reading on the current Tech. Preview, the behavior of the Vista client remains the same as with XP.

It's funny how so many people get freaked out about SMB Signing (and how little they know about it!)

All the best,

CG
Win 2003 MCSE

re: Exceptions to the rule - When you may WANT to turn off SMB message signing

Richard — Mon, 07 Aug 2006 01:30:23 GMT

Just to continue the pedantry: most people (including Dan Halford, above) misunderstand the expression, "the exception proves the rule." What this phrase means is that, since an exception exists, there must be a rule. Or, alternately, if there were no rule, no exception would be needed. This meaning goes back a long, long way (see http://alt-usage-english.org/excerpts/fxtheexc.html).

SMB signing

E-Bitz - SBS MVP the Official Blog of the SBS "Diva" — Thu, 17 Aug 2006 04:52:27 GMT

Server Message Block communication between a client-side SMB component and a server-side SMB component...

Optimizing NTFS Performance | keyongtech

Optimizing NTFS Performance | keyongtech — Thu, 22 Jan 2009 10:05:49 GMT

PingBack from http://www.keyongtech.com/4182452-optimizing-ntfs-performance