Signing is still possible in any case, nothing turns the signing code off. This is not a security model we follow anymore but everyone was wearing 1-strap undone overalls and baggy windbreakers at this point in the 90s and thinking they looked good. SMB1 also had the "required" setting, for those who wanted more strictness, and that will override the "if I feel like it" behavior as you'd hope. So we end up with this complex matrix. Again, it only matters for the SMB1 protocol that you are not supposed to be using.
The idea that the server should mandate these settings in either case isn't great either; it leads to attacks where someone intercepts the negotiation and says "nah, don't sign, you're fine". All of this client-side security requirement is the proper technique, where the client decides it wants security and if it doesn't get it, closes the connection. In fact, I have a long article on all of this you should read once, then five times more:. If you really, really want to understand SMB signing, the article to read is SMB 2 and SMB 3 security in Windows the anatomy of signing and cryptographic keys by Edgar Olougouna, who works in our dev support org and is a seriously smart man to be trusted in all things SMB.
As for all these weird ideas we had around signing back in the late 90s - I wasn't around for these decisions but it's ok, you can still blame me if you want.
At least I never wore the 1-strap overalls. You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in. Products 72 Special Topics 41 Video Hub Most Active Hubs Microsoft Teams. Security, Compliance and Identity. Microsoft Edge Insider. Azure Databases. Autonomous Systems.
Education Sector. SMB 3. If you want the best performance and protection combination, consider upgrading to the latest Windows versions. If someone changes a message during transmission, the hash won't match, and SMB will know that someone tampered with the data. The signature also confirms the sender's and receiver's identities.
This breaks relay attacks. Use Kerberos instead. Note In these policies, "always" indicates that SMB signing is required, and "if server agrees" or "if client agrees" indicates that SMB signing is enabled. Therefore, this setting does nothing unless you're using SMB1. SMB2 signing is controlled solely by being required or not. Thai Pepper. Brian Foley This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional. View this "Best Answer" in the replies below ». Popular Topics in Windows Server. Spiceworks Help Desk. The help desk software for IT.
0コメント