SMB Signing

How does SMB signing work for 2008/2012 servers that are not joined to a domain. In particular, i'm looking to set it to require digital signing always and i'd like to have a better understanding of the implications of doing that with non-domain joined servers.
How exactly is communication digitally signed? What mechanism is used and how will systems not in the same workgroup/domain react?
LVL 7
PaulADavisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
It is important to know what SMB signing is and what it is not.  It is *not* a way to validate the machine you are connecting to.  If you connect to \\server1 and someone manages to poison DNS or use another method to pose as \\server1, SMB signing won't protect you.

SMB signing *is* a way to make sure a packet wasn't altered in transit.  So if your DNS infrastructure is solid, and you know that \\server1 is actually server1, then someone can't sniff a packet, alter it, and then inject bad stuff on relaying it to you.  Particularly important on larger networks where multiple subnets may actually be relaying packets over devices not in the admin's control.

SMB signing exchanges keys using the same authentication method used to authenticate the initial access to the resource. For a domain, that is usually Kerberos.  For workgroups or machines not on a domain, the first fallback is NTLMv2.  That will be used to exchange key information for that SMB session and then signing is done with that key. Its lifetime is the session itself, not longer.  So yes, it works basically the same and domain vs workgroup doesn't really play a part.

With that said, SMB signing was introduced back in NT4, and while it has evolved with SMB, current recommendations is to use SMB encryption wherever possible.  Same benefits as signing, and more besides.   SMB signing would really only be useful in SMB1/2 environments where you want modest security and can't move to SMB3. SMB1, in particular, has so many other attack vectors that signing just isn't a major barrier. Effort/benefit ratio just isn't there most of the time.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PaulADavisAuthor Commented:
Thanks Cliff. Do you know what is used to generate the key?
0
Cliff GaliherCommented:
I don't specifically. Windows has a few standard API for generating such things so I'd assume it uses one of those mechanisms. I doubt they'd write their own non-standard variant.  But I don't know for sure, nor which API they'd likely have used.
0
PaulADavisAuthor Commented:
I found this: https://blogs.msdn.microsoft.com/chiranth/2013/09/20/ntlm-want-to-know-how-it-works/ 
So looks like it uses credentials to generate a hash. That is the information that I was looking to confirm.

Thanks again Cliff.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.