Server Message Block (SMB) signing

Server Message Block (SMB) protocol is used for communications within a Microsoft Windows-based network. SMB signing is a security tool that enables SMB traffic to be cryptographically signed. This protects the network from common man-in-the-middle attacks such as packet tampering. If SMB signing is not used, an internal attacker can essentially steal all share sessions that are active on your network.

There are multiple versions of SMB protocol available, namely SMB1, SMB2 & SMB3. Both SMB1 & SMB2 use signing for transport security, whereas SMB3 uses encryption for transport security.

SMB signing uses a hashing algorithm (HMAC SHA-256).

SMB signing is currently available on all versions of Windows. It’s enabled by default on Domain Controllers, since SMB is the protocol used by clients to safely download Group Policy information.

Navis recommends the following process for security signatures:

  1. Evaluate the feasibility of enabling SMB signing across all the client and server hosts.

  1. Consider testing on a limited range of hosts in a non-production environment before scaling up.

  2. Take a note of any potential difficulties. One common drawback can be performance overhead  due to the computation overhead in signing & verification of every packet.

  3. Take inventory of machines that do not have SMB signing enabled.

  4. If the result of testing is working as expected, then the setting can be applied in production.

SMB Signing Configuration and Defaults

Configuring SMB clients and SMB servers requires setting Group Policy and Registry settings. For details on how to configure SMB signing, you can refer to the following links: