Server Block Message (SMB) is a protocol that’s used for file and print communication within a generally Microsoft-based network. If you are not using SMB signing, then you are at risk for your SMB traffic to be man-in-the-middled. This means that an internal attacker is able to essentially steal all share sessions that are active on your network.
Generally, this occurs in networks that have been upgraded over time or legacy networks that currently have or used to have file servers or processes that did not support SMB signing.
SMB signing essentially signs each packet with a digital signature so the client and server can confirm where they originated from as well as the authenticity of the call. When SMB signing is enabled, if an attacker attempts to steal an SMB session they would be unable to modify the packets allowing them to steal the session.
It’s important to remember that SMB signing is not encryption, SMB is still able to be captured but not replayed in a man-in-the-middle attack. SMB encryption was added in SMB3.0 and can be helpful in situations where you must avoid snooping over the wire, (Microsoft SMB security enhancements).
To begin open up Group Policy Management, this can be done either through Server Manager > Tools > Group Policy Management, or by running ‘gpmc.msc’ in PowerShell or Command Prompt. At this point you can either create a new policy for SMB packet signing, or edit an existing policy depending on your needs.
Within the policy navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
There are 4 policy items that can be modified depending on your needs. All of these policy items can either be enabled or disabled. The policies all look like the following image when editing through Group Policy manager, you simply tick to define the policy setting, then choose between enabled or disabled.
The following two policy items apply to SMB server, that is Windows systems that serve out files or printers for instance over SMB to clients witin the network. Keep in mind you’ll want to review the age of your printers and if they support SMB Signing.
Recommended: Microsoft network server: Digitally sign communications (always)
This policy option controls whether the server providing SMB requires packet signing, it determines whether or not SMB packet signing must be negotiated before further communication with an SMB client is allowed.
By default this setting is enabled for domain controllers, but disabled for other member servers within the domain. Enabling this will require digitally signed communication over SMB which can break SMB connections if the client does not support SMB signing – they’re using very old clients if so.
Recommended: Microsoft network server: Digitally sign communications (if client agrees)
This policy option determines whether the SMB server will negotiate SMB packet signing with clients that request it. With this setting enabled, the SMB server will negotiate SMB packet signing as per the request of the client. If SMB packet signing is enabled on the client then it will be negotiated by the server. By default this policy is only enabled on domain controllers.
The following two policy items apply to SMB clients, generally this would be a Windows machine that connects to an SMB server, like your File Servers.
Microsoft network client: Digitally sign communications (always)
Enabling this policy ensures that the SMB client will always require SMB packet signing. If the server does not agree to support SMB packet signing with the client, the client will not communicate with the server. By default this policy is set to disabled, that is SMB is allowed by default without requiring packet signing. It is still possible for packet signing to be negotiated, it is just not required to operate.
If you enable this GPO, it will always digitally signed SMB, that is to say if the Windows machine attempts to connect to an SMB server which does not support SMB Signing it will fail.
Recommended: Microsoft network client: Digitally sign communications (if server agrees)
This policy is enabled by default, and determines whether the SMB client attempts to negotiate SMB packet signing with the server. If this is instead set to disabled, the client will not attempt to negotiate SMB packet signing at all. More than likely you can leave this as is if you’re using newer Windows operating systems.