Re: SMB packet and secure channel signing

From: "Jeff Middleton [SBS-MVP]" <jeff@xxxxxxxxxxxxxxxx>
Date: Fri, 22 Jul 2005 09:42:51 -0500

My opinion is to turn it off and forget about it. I don't see a security issue to be concerned about with this in a small domain like an SBS. You still will be using a Secure Channel communication, and authentication just as before. This would be like me and you having a telephone conversation, secret password, call-back requirement so you know the number I called from, and then a handshake process that we use to ensure that at the end of each paragraph, we agree to keep talking.

The difference with the addition of SMB Signing is that once all that security and authentication has been applied to establish the communication, SMB Signing puts a tag on each and every network packet to identify packet by packet that each packet is genuine. This is like ensuring that during a phone conversation, nobody else on the line utters a word while I'm talking to make you think I said something different that what was actually said. I think it's ridiculous overkill that would be fine with me to use anyway if it didn't cause so many problems, and introduce compatibility issues.

Turn it off. This is the advice I give to all who ask me about it, and it's the default condition I recommend to folks doing Swing Migration as how they should setup the server and workstations. Here's a section pasted below that I cut from my own documentation.

1. Open Active Directory Users and Computers snap-in, as in the previous task.

2. Edit the Default Domain Controllers Policy

(located on the Domain Controllers Organizational Unit).

3. Expand out the tree indicated here, and set the policy items that follow below:

Computer Configuration

Windows Settings

Security Settings

Local Policies

Security Options

Microsoft network client: Digitally sign communications (always) Disabled

Microsoft network client: Digitally sign communications (if server agrees) Disabled

Microsoft network server: Digitally sign communications (always) Disabled

Microsoft network server: Digitally sign communications (if client agrees) Disabled

4. Edit the Default Domain Policy (located on the Domain Object), and now repeat the

step just above to configure the same policies items in agreement to what is indicated

5. Refresh the machine policy now at all connected DCs. At a command prompt, type

command indicated below for the version Windows running on the server you execute

? For Windows 2000 servers or workstations:

secedit /refreshpolicy machine_policy /enforce

? For Windows 2003 servers or XP workstations:

gpupdate /target:computer /force

"markus" <mark@xxxxxxxxxx> wrote in message news:%23yaYRnsjFHA.2644@xxxxxxxxxxxxxxxxxxxx...

> I have a client who recently bought a Canon printer / scanner (one of the
> big network models).
> The canon people are telling me that in order for the scanner portion to
> work, SMB packet and secure channel signing must be turned off......
> (this is set in Group policy-Domain controller -- administrator tools /
> domain controller security policy / MS network server / Digitally sign
> communications - they want this policy turned OFF)
>
> If anyone has any knowledge on this,
> My question is what ramifications this will have to the network as a whole.
> All XP Pro clients
> Remote access via RWW IS used...
>
> This KB article
> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 explains what
> this is and some ramifications (look under Security, #4)
>
> ((this also seems to be a way to fix the problem with Pre XP clients logging
> onto a W2K3 domain..
> But all I can find about it is basically "Microsoft does not recommend this
> setting" (to turn it off)
> http://support.microsoft.com/default.aspx?scid=kb;en-us;811497
>
>
> Any of you very knowledgable peoples has an opinoin about this?
> Not really a big deal?
> DON'T DO IT?
> What sort of ramifications could I expect if we turned it off?
>
> If I turn this off, will remote users doing remote control over RWW and
> using for instance a W98 remote system have any issues (I would think
> not...)
>
> Thanks
>
>
>

Follow-Ups:
- Re: SMB packet and secure channel signing
  - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

References:
- SMB packet and secure channel signing
  - From: markus

Prev by Date: my documents re-direction
Next by Date: Re: I don´t understand why Microsoft could Name this a "Service Pack" (maybe why you need after applying Service?)
Previous by thread: SMB packet and secure channel signing
Next by thread: Re: SMB packet and secure channel signing
Index(es):
- Date
- Thread

Relevant Pages

RE: SMBmount conspiracy
... My local security policy settings are like this: ... Microsoft network client - digitally sign communications - ... Microsoft network server - digitally sign communications - ...
(RedHat)
RE: Domain Migration: Can not find domain controller
... I suspect this may be cause by security channel failure. ... Microsoft network client: Digitally sign communications DISABLED ... Microsoft network server: ...
(microsoft.public.windows.server.migration)
Re: Domain Migration: Can not find domain controller
... I suspect this may be cause by security channel failure. ... Microsoft network client: Digitally sign communications DISABLED ... Microsoft network server: ...
(microsoft.public.windows.server.migration)
Re: disable digital signing
... "Microsoft Network Client: Digitally sign communications " ... "Microsoft Network Server: Digitally sign communications ". ...
(microsoft.public.windows.group_policy)
Re: [Full-disclosure] Interesting idea for a covert channel or I just didnt research enough?
... 'dead-drop' covert channels - which is not a novel class of covert ... communications. ... > indicating a dropped packet) could provide a vector for communicating ... > to highly trusted systems to which one has no direct network access. ...
(Full-Disclosure)