Re: KB916846 Patch for SMB signing on XP and Win2k3

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Good answer Brian, and a rather tough needle to thread.

I just felt the need to observe however that
SMB signing settings are not designed to prevent communications between
machines so doing so in the case of a misconfiguration is not necessary
is not really the case.

Placing a signing requirement is specifically designed to prevent
communications
when signing is not supported by the other. That is a desirable effect.

Rather, the problem seems to me that the initial implementation of the
settings
allowed one to prevent signing (compare to where there are choices only of
"always" or "if agrees" - but no "never") which same prevention _might_ fit
a rare use case but certainly could/does cause problems and weaken integrity
if not also security. It seems the change brings things into alignment with
the
"always / if possible" model, but regettably does so by making behaviors not
align with the settings' claims (much like LM/NTLMv1/NTLMv2 setting is
handled on DCs).

Roger

"Brian Delaney [MSFT]" <briandel@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:CzwG9TG3GHA.4280@xxxxxxxxxxxxxxxxxxxxxxxx
Hi Gerry,

That is an interesting question and it was actually one that I asked
myself
when I saw this update was released. There were a number of
considerations
that came into play in releasing this update.

As you said, to you the old behaviour was correct and this is true. There
was no functional problem with the old behaviour. This is the reason that
the article mentions the package 916846 as an update and not a hotfix.
This package is designed to change the behaviour so that a
misconfiguration
of these settings will not cause an inability to communicate and force SMB
signing to be used in these instances. SMB signing settings are not
designed to prevent communications between machines so doing so in the
case
of a misconfiguration is not necessary.

SMB misconfiguration is a major cause of calls to Microsoft and based on
these patterns it was decided to make this change to reduce our customers
support costs.

The files changed when installing this fix will very slightly depending on
OS and SP level but on 2003 SP1 it is mrxsmb.sys and srv.sys that are
updated.

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
From: "Gerry Hickman" <gerry666uk@xxxxxxxxxxxxxxxx>
Subject: KB916846 Patch for SMB signing on XP and Win2k3
Date: Tue, 19 Sep 2006 16:00:44 +0100
Lines: 37

Hi,

I read this article

http://support.microsoft.com/?kbid=916846

"Server Message Block communication between a client-side SMB component
and
a server-side SMB component is not completed if the SMB signing settings
are
mismatched in Group Policy or in the registry"

it's quite long but the only part that seems important is the
"interoperability matrix". This is the only place in the article where
change in behaviour is made clear.

However, there only seems to be ONE case where the patched/unpatched
behaviour is different? This is the case where

Server, patched, disabled
Client, patched, required

The old behaviour was "No Communication" and the new behaviour is "Signed
Packets".

To me, the old behaviour was correct! If you've disabled SMB signing on
the
server, but the client requires it, then it's requesting something that's
impossible??

The other problem with this article is that it doesn't have a list of
files
that get changed by the patch - maybe none get changed, so what _does_ it
change?

Can anyone demystify this article?

--
Gerry Hickman - (London UK)






.

Relevant Pages

  • Re: SMB Siging
    ... that server and enable "when possible" for the server setting. ... should allow non smb signing aware clients to access it, ... > But I can't log in with the ms-dos client without disabling Digitally sign ... > communications on the server. ...
    (microsoft.public.security)
  • Re: no more w98, need to increase security on domain.
    ... You should try to the strongest settings on signing that you ... Under our Default Global Domain Policy - security settings/local ... Digitally sign communications ", ... "Microsoft network server: ...
    (microsoft.public.security)
  • Re: nt4 domains (over vpn) cannot see windows 2003 domain in nethood
    ... Microsoft network server: Digitally sign communications ... computer in my 2003 domain EXCEPT the new Win2003 Server itself!! ... settings that are blocking access to the users from the other NT4 ...
    (microsoft.public.windows.server.migration)
  • Re: Mac Connection
    ... I've Tried to setup AppleTalk on the server without success. ... Macintosh on the server and use AppleTalk to connect. ... If you want to disable SMB signing on the server to connect via SMB, ... Expand Group Policy Management. ...
    (microsoft.public.windows.server.sbs)
  • Re: Langsame Netzwerkverbindung und Probleme bei öffnen von Office-Dok
    ... Slow file copy to the SBS 2003 server ... An attacker who has access to the same network as the ... authentication and then gain unauthorized access to data. ... that are available for SMB signing. ...
    (microsoft.public.de.german.backoffice.smallbiz)