Windows Tip Sheet
Sign, Sealed, Delivered
Secure your network from packet spoofing with SMB signing.
I’ve gotten a lot of questions recently regarding server message blocks
(SMB) signing and what it’s good for. SMB, of course, is the traffic used
by Windows file sharing (the Server and Workstation services, to be specific).
One potential problem in any network situation is that packet
spoofing will occur. That’s when, for example, ClientA thinks
it’s talking to ServerB, but ServerC is actually in the conversation instead
and is intercepting packets and pretending to be ServerB. It’s a great
way for attackers to gain access to otherwise protected information. SMB signing
helps prevent this by digitally signing each packet so that its origin can be
verified. SMB signing for outgoing traffic is enabled by default in WinNT 4.0,
Win98, Win2K, WinXP, and Win2003; SMB signing for incoming traffic is enabled
by default on Win2003, WinNT 4.0 and Win2K domain controllers.
You can use GPOs to configure SMB signing (you can use the registry, too, but
the GPO will override it, so the GPO is a safer way to go). Just browse to Computer
Configuration, Windows Settings, Security Settings, Local Policies, Security
Options in a GPO and configure the setting you prefer.
Note that the SMB options can be configured as enabled or required. Enabled
means that signing will be used if both computers in the conversation can do
so; otherwise, signing will be left off. Requiring signing means that computers
unable to perform signing won’t be able to connect at all. My recommendation?
Well, if all of your computers can handle SMB signing, require it for all connections.
It’s one more rivet in your organization’s armor of IT security,
and every little bit helps.
Cool
Gadget |
 |
Get HDTV reception even in
your apartment or condo with the Winegard SharpShooter. |
Struggling with off-the-air HDTV? While available in most areas,
most supposedly HDTV-ready antennas don’t do a good enough
job of pulling in a single, strong signal. Check out Winegard’s
SharpShooter, a powered, indoor antenna that rejects the
“ghost” signals which prevent newer HDTV tuners
from showing anything at all on that expensive new widescreen
set. Then visit CheckHD.com
to see what HDTV channels you can receive. |
|
|
More Resources:
About the Author
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.