Windows Tip Sheet

Sign, Sealed, Delivered

Secure your network from packet spoofing with SMB signing.

I’ve gotten a lot of questions recently regarding server message blocks (SMB) signing and what it’s good for. SMB, of course, is the traffic used by Windows file sharing (the Server and Workstation services, to be specific).

One potential problem in any network situation is that packet spoofing will occur. That’s when, for example, ClientA thinks it’s talking to ServerB, but ServerC is actually in the conversation instead and is intercepting packets and pretending to be ServerB. It’s a great way for attackers to gain access to otherwise protected information. SMB signing helps prevent this by digitally signing each packet so that its origin can be verified. SMB signing for outgoing traffic is enabled by default in WinNT 4.0, Win98, Win2K, WinXP, and Win2003; SMB signing for incoming traffic is enabled by default on Win2003, WinNT 4.0 and Win2K domain controllers.

You can use GPOs to configure SMB signing (you can use the registry, too, but the GPO will override it, so the GPO is a safer way to go). Just browse to Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options in a GPO and configure the setting you prefer.

Note that the SMB options can be configured as enabled or required. Enabled means that signing will be used if both computers in the conversation can do so; otherwise, signing will be left off. Requiring signing means that computers unable to perform signing won’t be able to connect at all. My recommendation? Well, if all of your computers can handle SMB signing, require it for all connections. It’s one more rivet in your organization’s armor of IT security, and every little bit helps.

Cool Gadget
Winegard SharpShooter SS-3000
Get HDTV reception even in your apartment or condo with the Winegard SharpShooter.
Struggling with off-the-air HDTV? While available in most areas, most supposedly HDTV-ready antennas don’t do a good enough job of pulling in a single, strong signal. Check out Winegard’s SharpShooter, a powered, indoor antenna that rejects the “ghost” signals which prevent newer HDTV tuners from showing anything at all on that expensive new widescreen set. Then visit CheckHD.com to see what HDTV channels you can receive.

More Resources:

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.

comments powered by Disqus

SharePoint Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.