Re: SMB packet and secure channel signing

Tech-Archive recommends: Fix windows errors by optimizing your registry

Because I've seen the posts in the newsgroups from folks that screw it up [don't ask me how they do it...but they do...you would think that it would be quite easy to wack off everything...but somehow....]

It's the blanket READ that we add to every post these days :-)

Jeff Middleton [SBS-MVP] wrote: 
You know, in all the times that you and I have the debate on SMB Signing,
and let's not recount how often, the thing I just don't get is why if you
are "ok" with them setting things as long as you get them right, why do you
think that if you have to set a pair of restrictions twice in each of two
group policies, you don't think that setting every last one of them Disabled
isn't easier to remember, understand and apply correctly?  :)

The other thing is that "if client agrees" still inserts the setting that
allows for trying to use SMB Signing when in fact this is part of the
original problem, there are patch update related conditions in which that
very setting is what causes the malfunction they had to release a patch to
fix! Disabled always works. Disabled in all conditions, makes servers, DCs,
and workstations obtain the policy correctly, which means it's only if you
fail to follow the instructions will it not work.




"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
wrote in message news:%23vipI3tjFHA.3448@xxxxxxxxxxxxxxxxxxxxxxx

Optionally you can do "if client agrees" and thus the signing will be
there only if the client agrees to it.

I've seen this discussed as another option.

Man in the Middle attacks are most likely in larger networks and mostly
in mixed networks.

Just don't screw up in the process of disabling these suckers.  While it
seems pretty easy to me to go to those policies and disable them, people
do get the wrong ones and can get themselves into a smidge of mess. So
just read the instructions VERY carefully.

It's only 'just' now that copiers and scanners can handle scanning to
networks without default adjusting this off.

Jeff Middleton [SBS-MVP] wrote:

My opinion is to turn it off and forget about it. I don't see a security
issue to be concerned about with this in a small domain like an SBS. You
still will be using a Secure Channel communication, and authentication
just as before. This would be like me and you having a telephone
conversation, secret password, call-back requirement so you know the
number I called from, and then a handshake process that we use to ensure
that at the end of each paragraph, we agree to keep talking.

The difference with the addition of SMB Signing is that once all that
security and authentication has been applied to establish the
communication, SMB Signing puts a tag on each and every network packet
to identify packet by packet that each packet is genuine. This is like
ensuring that during a phone conversation, nobody else on the line
utters a word while I'm talking to make you think I said something
different that what was actually said. I think it's ridiculous overkill
that would be fine with me to use anyway if it didn't cause so many
problems, and introduce compatibility issues.

Turn it off. This is the advice I give to all who ask me about it, and
it's the default condition I recommend to folks doing Swing Migration as
how they should setup the server and workstations. Here's a section
pasted below that I cut from my own documentation.



1. Open *Active Directory Users and Computers *snap-in, as in the
previous task.

2. Edit the *Default Domain Controllers Policy*

(located on the *Domain Controllers Organizational Unit)*.

3. Expand out the tree indicated here, and set the policy items that
follow below:

Computer Configuration

Windows Settings

Security Settings

Local Policies

Security Options

   Microsoft network client: Digitally sign communications (always)
   Disabled

   Microsoft network client: Digitally sign communications (if server
   agrees) Disabled

   Microsoft network server: Digitally sign communications (always)
   Disabled

   Microsoft network server: Digitally sign communications (if client
   agrees) Disabled

4. Edit the *Default Domain Policy *(located on the *Domain Object*),
and now repeat the

step just above to configure the same policies items in agreement to
what is indicated

5. Refresh the machine policy now at all connected DCs. At a command
prompt, type

command indicated below for the version Windows running on the server
you execute

• For Windows 2000 servers or workstations:

   secedit /refreshpolicy machine_policy /enforce

• For Windows 2003 servers or XP workstations:

   gpupdate /target:computer /force





"markus" <mark@xxxxxxxxxx <mailto:mark@xxxxxxxxxx>> wrote in message
news:%23yaYRnsjFHA.2644@xxxxxxxxxxxxxxxxxxxxxxx
> I have a client who recently bought a Canon printer / scanner (one of
the
> big network models).
> The canon people are telling me that in order for the scanner portion


to

> work, SMB packet and secure channel signing must be turned off......
> (this is set in Group policy-Domain controller  -- administrator


tools /

> domain controller security policy / MS network server / Digitally 

sign

> communications - they want this policy turned  OFF)
>
> If anyone has any knowledge on this,
> My question is what ramifications this will have to the network as a
whole.
> All XP Pro clients
> Remote access via RWW IS used...
>
>  This KB article
> http://support.microsoft.com/default.aspx?scid=kb;en-us;823659
explains what
> this is and some ramifications  (look under Security, #4)
>
> ((this also seems to be a way to fix the problem with Pre XP clients
logging
> onto a W2K3 domain..
> But all I can find about it is basically "Microsoft does not
recommend this
> setting" (to turn it off)
> http://support.microsoft.com/default.aspx?scid=kb;en-us;811497
>
>
> Any of you very knowledgable peoples has an opinoin about this?
> Not really a big deal?
> DON'T DO IT?
> What sort of ramifications could I expect if we turned it off?
>
> If I turn this off, will remote users doing remote control over RWW


and

> using for instance a W98 remote system have any issues (I would think
> not...)
>
> Thanks
>
>
>




.

Relevant Pages

  • Re: How to temporarily overide XP Firewall settings?
    ... You can disable that on only one client by playing ... this just disabled the internal firewall... ... Javier [SBS MVP] ... Disabling the domain level GP and rebooting apparently allowed ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Sending email
    ... Disabling the antivirus is always an option, but if you are going to ... The problem I had was going through Outlook in that it always ... that the antivirus blocked port 25 and opening the port was, as you say, ... post those machines have no email client installed. ...
    (microsoft.public.vb.general.discussion)
  • Re: Unbearable Login Delays for SBS 2008
    ... I would start by looking through this list of possible causes for the group policy error you're getting on the client PCs. ... Without reading back through the whole thread, I don't see how disabling redirection will help with login time. ... Windows IP Configuration ... Ethernet adapter Local Area Connection: ...
    (microsoft.public.windows.server.sbs)
  • Re: Checkbox does not respect checked value if disabled client side
    ... Microsoft Online Support ... | Subject: Re: Checkbox does not respect checked value if disabled client ... |> of disabling it, we can try using clientside script to hide the checkbox ...
    (microsoft.public.dotnet.framework.aspnet.webcontrols)
  • Re: File Sharing After Migration
    ... Sorry for the long delay in replying. ... under Windows 2003. ... Disabling the second NIC stopped the delay. ... >Do you still get 5513 error on the client, ...
    (microsoft.public.windows.server.migration)