- Product
   - Product Overview Sophisticated security with unmatched simplicity
- Cloud SIEM Pre-configured detections across your environment
- Honeypots Deception technology to detect lateral movement
- Endpoint Visibility Real-time monitoring with added detection & response
- Security Reports Data visualizations, compliance reports, and executive summaries
- Automated Response Detect, prioritize, and neutralize threats around the clock
- Integrations Cloud, on-prem, and open API connections
- XDR Platform A complete view to identify risk, and things operational
 
- Pricing
- Why Blumira
   - Why Blumira The Security Operations platform IT teams love
- Watch A Demo See Blumira in action and how it builds operational resilience
- Use Cases A unified security solution for every challenge
- Pricing Unlimited data and predictable pricing structure
- Company Our human-centered approach to cybersecurity
- Compare Blumira Find out how Blumira stacks up to similar security tools
- Integrations Cloud, on-prem, and open API connections
- Customer Stories Learn how others like you found success with Blumira
 
- Solutions
- Partners
- Resources
Security Guide: How to Enable & Configure SMB Signing for Microsoft Windows
What is SMB?
Server Block Message (SMB) is a protocol that's used for file and print communication within a generally Microsoft-based network. If you are not using SMB signing, then you are at risk for your SMB traffic to be man-in-the-middled. This means that an internal attacker is able to essentially steal all share sessions that are active on your network.
Generally, this occurs in networks that have been upgraded over time or legacy networks that currently have or used to have file servers or processes that did not support SMB signing.
What is SMB Signing?
SMB signing essentially signs each packet with a digital signature so the client and server can confirm where they originated from as well as the authenticity of the call. When SMB signing is enabled, if an attacker attempts to steal an SMB session they would be unable to modify the packets allowing them to steal the session.
It's important to remember that SMB signing is not encryption, SMB is still able to be captured but not replayed in a man-in-the-middle attack. SMB encryption was added in SMB3.0 and can be helpful in situations where you must avoid snooping over the wire, (Microsoft SMB security enhancements).
Enabling SMB Signing via Group Policy
To begin open up Group Policy Management, this can be done either through Server Manager > Tools > Group Policy Management, or by running ‘gpmc.msc’ in PowerShell or Command Prompt. At this point you can either create a new policy for SMB packet signing, or edit an existing policy depending on your needs.
Within the policy navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
There are 4 policy items that can be modified depending on your needs. All of these policy items can either be enabled or disabled. The policies all look like the following image when editing through Group Policy manager, you simply tick to define the policy setting, then choose between enabled or disabled.
SMB Server Packet Signing
The following two policy items apply to SMB server, that is Windows systems that serve out files or printers for instance over SMB to clients witin the network. Keep in mind you'll want to review the age of your printers and if they support SMB Signing.
Recommended: Microsoft network server: Digitally sign communications (always)
This policy option controls whether the server providing SMB requires packet signing, it determines whether or not SMB packet signing must be negotiated before further communication with an SMB client is allowed.
By default this setting is enabled for domain controllers, but disabled for other member servers within the domain. Enabling this will require digitally signed communication over SMB which can break SMB connections if the client does not support SMB signing - they're using very old clients if so.
Recommended: Microsoft network server: Digitally sign communications (if client agrees)
This policy option determines whether the SMB server will negotiate SMB packet signing with clients that request it. With this setting enabled, the SMB server will negotiate SMB packet signing as per the request of the client. If SMB packet signing is enabled on the client then it will be negotiated by the server. By default this policy is only enabled on domain controllers.
SMB Client Packet Signing
The following two policy items apply to SMB clients, generally this would be a Windows machine that connects to an SMB server, like your File Servers.
Microsoft network client: Digitally sign communications (always)
Enabling this policy ensures that the SMB client will always require SMB packet signing. If the server does not agree to support SMB packet signing with the client, the client will not communicate with the server. By default this policy is set to disabled, that is SMB is allowed by default without requiring packet signing. It is still possible for packet signing to be negotiated, it is just not required to operate.
If you enable this GPO, it will always digitally signed SMB, that is to say if the Windows machine attempts to connect to an SMB server which does not support SMB Signing it will fail.
Recommended: Microsoft network client: Digitally sign communications (if server agrees)
This policy is enabled by default, and determines whether the SMB client attempts to negotiate SMB packet signing with the server. If this is instead set to disabled, the client will not attempt to negotiate SMB packet signing at all. More than likely you can leave this as is if you're using newer Windows operating systems.
Once you've configured these settings, you may encounter some performance or compatibility issues. This guide to troubleshooting common SMB signing problems and their solutions may come in handy.
Additional Security Resources
View All Posts 
    
                                     
             
            Customer Success Stories
                        
        
        
              
             5 min read
            
                | October 15, 2025
            
        
        Customer Story: NineStar Connect Cuts Alert Resolution Time in Half with SOC Auto-Focus
Read More 
    
                           
             
            Customer Success Stories
                    
        
        
              
             7 min read
            
                | September 16, 2025
            
        
        Customer Story: MTC Federal Credit Union
Read More 
    
                                     
             
            Security Trends and Info
                        
        
        
              
             9 min read
            
                | July 24, 2025
            
        
        Critical Microsoft SharePoint Server vulnerability allows unauthorized code execution
Read MoreExperience Blumira Today
Tired of fragmented security tools and alert fatigue? Blumira centralizes your security operations, offering deep insights and actionable intelligence to identify and remediate threats before they cause damage. Discover the power of proactive defense.