eSourceONE
asked on
SMB Signing on NetApp
Hi,
We are currently running a NetApp filer in a PCI environment. Due to policy, we are required to scan server systems for vulnerabilites using Nessus, and must resolve all medium or higher.
Unfortunately, we were presented with the following vul.: http://www.nessus.org/plugins/index.php?view=single&id=57608
We have already enabled the option cifs.signing.enable, but this does not resolve the problem, as it doesn't force signing, but only permits it if required from the client.
If I understand correctly, there is no way to force SMB signing on the NetApp side (Microsoft network server: Digitally sign communications (always) - on a Windows machine). That means, we can enforce signing by requiring the clients to sign - communication between filer and client should be fine against man-in-the-middle. However, this setting would have to be made on every client (via GPO or LSP on stand-alone machines...)
Does anyone have an idea if we are overlooking anything? We are expected to fix all vulnerabilities...
Thanks for any feedback!
eS1
We are currently running a NetApp filer in a PCI environment. Due to policy, we are required to scan server systems for vulnerabilites using Nessus, and must resolve all medium or higher.
Unfortunately, we were presented with the following vul.: http://www.nessus.org/plugins/index.php?view=single&id=57608
We have already enabled the option cifs.signing.enable, but this does not resolve the problem, as it doesn't force signing, but only permits it if required from the client.
If I understand correctly, there is no way to force SMB signing on the NetApp side (Microsoft network server: Digitally sign communications (always) - on a Windows machine). That means, we can enforce signing by requiring the clients to sign - communication between filer and client should be fine against man-in-the-middle. However, this setting would have to be made on every client (via GPO or LSP on stand-alone machines...)
Does anyone have an idea if we are overlooking anything? We are expected to fix all vulnerabilities...
Thanks for any feedback!
eS1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER