Larry Kiterling
asked on
Vulnerability - SMB signing on Windows 2008
I have an application server and it is showing it has a vulnerability of "SMB Security Signatures Not Required". If I was to enable it on the server, would it cause any issues with the workstation connecting to the application server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The default from MS for Win2k8and 2012 is enabled while Window 2k3 is disabled for member server and enabled for domain controllers.
https://technet.microsoft.com/en-us/library/cc731957(v=ws.11).aspx
https://technet.microsoft.com/en-us/library/cc728025(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc731957(v=ws.11).aspx
https://technet.microsoft.com/en-us/library/cc728025(v=ws.10).aspx
I have no idea why this was abandoned.
@btan: By the way: I don't see where you take your info from those links. I took https://msdn.microsoft.com/de-de/library/jj852239(v=ws.11).aspx where it says "By default, server-side packet signing is enabled only on domain controllers running Windows 2000, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2"
@btan: By the way: I don't see where you take your info from those links. I took https://msdn.microsoft.com/de-de/library/jj852239(v=ws.11).aspx where it says "By default, server-side packet signing is enabled only on domain controllers running Windows 2000, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2"
To answer the question of the author is thst is no impact to the client or server if smb signing is both enabled at both end. In fact it is recommended to do so otherwise there are other security benefits missed out
This should be considered answered.
The default setting is more from the below.
Warning: We do not recommend that you disable SMBv2 or SMBv3. Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled.see more in https://support.microsoft.com/en-sg/kb/2696547
This should be considered answered.
The default setting is more from the below.
All Windows operating systems support both a client-side SMB component and a server-side SMB component. To take advantage of SMB packet signing, both the client-side SMB component and server-side SMB component that are involved in a communication must have SMB packet signing either enabled or required.https://technet.microsoft.com/en-us/library/cc731957(v=ws.11).aspx
If server-side SMB signing is required, a client will not be able to establish a session with that server unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers.
Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
Suggest the acceptance for
ID: 41599541
ID: 41600234
ID: 41741301
ID: 41741644
ID: 41599541
ID: 41600234
ID: 41741301
ID: 41741644
ASKER