Re: SMB packet and secure channel signing
- From: "Jeff Middleton [SBS-MVP]" <jeff@xxxxxxxxxxxxxxxx>
- Date: Fri, 22 Jul 2005 12:50:42 -0500
You know, in all the times that you and I have the debate on SMB Signing,
and let's not recount how often, the thing I just don't get is why if you
are "ok" with them setting things as long as you get them right, why do you
think that if you have to set a pair of restrictions twice in each of two
group policies, you don't think that setting every last one of them Disabled
isn't easier to remember, understand and apply correctly? :)
The other thing is that "if client agrees" still inserts the setting that
allows for trying to use SMB Signing when in fact this is part of the
original problem, there are patch update related conditions in which that
very setting is what causes the malfunction they had to release a patch to
fix! Disabled always works. Disabled in all conditions, makes servers, DCs,
and workstations obtain the policy correctly, which means it's only if you
fail to follow the instructions will it not work.
"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
wrote in message news:%23vipI3tjFHA.3448@xxxxxxxxxxxxxxxxxxxxxxx
> Optionally you can do "if client agrees" and thus the signing will be
> there only if the client agrees to it.
>
> I've seen this discussed as another option.
>
> Man in the Middle attacks are most likely in larger networks and mostly
> in mixed networks.
>
> Just don't screw up in the process of disabling these suckers. While it
> seems pretty easy to me to go to those policies and disable them, people
> do get the wrong ones and can get themselves into a smidge of mess. So
> just read the instructions VERY carefully.
>
> It's only 'just' now that copiers and scanners can handle scanning to
> networks without default adjusting this off.
>
> Jeff Middleton [SBS-MVP] wrote:
> > My opinion is to turn it off and forget about it. I don't see a security
> > issue to be concerned about with this in a small domain like an SBS. You
> > still will be using a Secure Channel communication, and authentication
> > just as before. This would be like me and you having a telephone
> > conversation, secret password, call-back requirement so you know the
> > number I called from, and then a handshake process that we use to ensure
> > that at the end of each paragraph, we agree to keep talking.
> >
> > The difference with the addition of SMB Signing is that once all that
> > security and authentication has been applied to establish the
> > communication, SMB Signing puts a tag on each and every network packet
> > to identify packet by packet that each packet is genuine. This is like
> > ensuring that during a phone conversation, nobody else on the line
> > utters a word while I'm talking to make you think I said something
> > different that what was actually said. I think it's ridiculous overkill
> > that would be fine with me to use anyway if it didn't cause so many
> > problems, and introduce compatibility issues.
> >
> > Turn it off. This is the advice I give to all who ask me about it, and
> > it's the default condition I recommend to folks doing Swing Migration as
> > how they should setup the server and workstations. Here's a section
> > pasted below that I cut from my own documentation.
> >
> >
> >
> > 1. Open *Active Directory Users and Computers *snap-in, as in the
> > previous task.
> >
> > 2. Edit the *Default Domain Controllers Policy*
> >
> > (located on the *Domain Controllers Organizational Unit)*.
> >
> > 3. Expand out the tree indicated here, and set the policy items that
> > follow below:
> >
> > Computer Configuration
> >
> > Windows Settings
> >
> > Security Settings
> >
> > Local Policies
> >
> > Security Options
> >
> > Microsoft network client: Digitally sign communications (always)
> > Disabled
> >
> > Microsoft network client: Digitally sign communications (if server
> > agrees) Disabled
> >
> > Microsoft network server: Digitally sign communications (always)
> > Disabled
> >
> > Microsoft network server: Digitally sign communications (if client
> > agrees) Disabled
> >
> > 4. Edit the *Default Domain Policy *(located on the *Domain Object*),
> > and now repeat the
> >
> > step just above to configure the same policies items in agreement to
> > what is indicated
> >
> > 5. Refresh the machine policy now at all connected DCs. At a command
> > prompt, type
> >
> > command indicated below for the version Windows running on the server
> > you execute
> >
> > ? For Windows 2000 servers or workstations:
> >
> > secedit /refreshpolicy machine_policy /enforce
> >
> > ? For Windows 2003 servers or XP workstations:
> >
> > gpupdate /target:computer /force
> >
> >
> >
> >
> >
> > "markus" <mark@xxxxxxxxxx <mailto:mark@xxxxxxxxxx>> wrote in message
> > news:%23yaYRnsjFHA.2644@xxxxxxxxxxxxxxxxxxxxxxx
> > > I have a client who recently bought a Canon printer / scanner (one of
> > the
> > > big network models).
> > > The canon people are telling me that in order for the scanner portion
to
> > > work, SMB packet and secure channel signing must be turned off......
> > > (this is set in Group policy-Domain controller -- administrator
tools /
> > > domain controller security policy / MS network server / Digitally
sign
> > > communications - they want this policy turned OFF)
> > >
> > > If anyone has any knowledge on this,
> > > My question is what ramifications this will have to the network as a
> > whole.
> > > All XP Pro clients
> > > Remote access via RWW IS used...
> > >
> > > This KB article
> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;823659
> > explains what
> > > this is and some ramifications (look under Security, #4)
> > >
> > > ((this also seems to be a way to fix the problem with Pre XP clients
> > logging
> > > onto a W2K3 domain..
> > > But all I can find about it is basically "Microsoft does not
> > recommend this
> > > setting" (to turn it off)
> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;811497
> > >
> > >
> > > Any of you very knowledgable peoples has an opinoin about this?
> > > Not really a big deal?
> > > DON'T DO IT?
> > > What sort of ramifications could I expect if we turned it off?
> > >
> > > If I turn this off, will remote users doing remote control over RWW
and
> > > using for instance a W98 remote system have any issues (I would think
> > > not...)
> > >
> > > Thanks
> > >
> > >
> > >
.
- Follow-Ups:
- Re: SMB packet and secure channel signing
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: SMB packet and secure channel signing
- References:
- SMB packet and secure channel signing
- From: markus
- Re: SMB packet and secure channel signing
- From: Jeff Middleton [SBS-MVP]
- Re: SMB packet and secure channel signing
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- SMB packet and secure channel signing
- Prev by Date: My Documents Folder Redirection
- Next by Date: Redirect to external email address
- Previous by thread: Re: SMB packet and secure channel signing
- Next by thread: Re: SMB packet and secure channel signing
- Index(es):
Relevant Pages
|
