WinSecWiki > Security Settings > Local Policies > Security Options > Microsoft Network Client > Digitally sign communications (always)

Microsoft network client: Digitally sign communications (always)

This setting applies to SMB (Server Message Block) and CIFS (Common Internet File System) traffic. Windows uses SMB or CIFS primarily for file sharing and printer sharing as well a lot of other domain and Windows networking traffic. SMB (port 139) is the older more proprietary file sharing protocol, while CIFS (port 443) is an internet standard. 

In 1997 Hobbit published a number of vulnerabilities in SMB including some serious man-in-the-middle attacks. Microsoft made several enhancements to SMB including SMB message signing to combat man-in-the-middle attacks:

  • Microsoft network client: Digitally sign communications (always)

Each Windows system has both an SMB client and server component. The client is the Workstation service and the SMB server is the Server service. The Workstation service is in play when this computer is accessing files, printers or other Windows resources on another computer. The Server service is in play when this computer is sharing folders or printers with other computers; that is when this computer is the server. 

When an SMB client tries to connect to an SMB server, the 2 computers negotiate whether or not to use SMB signing.

The 2 “Microsoft network client:” settings above control the Workstation service’s SMB signing behavior and the 2 “Microsoft network server:” controls how the Server service handles SMB signing.

This setting, “Microsoft network client: Digitally sign communications (always)”, when enabled, forces the Workstation service to demand SMB signing. If the Server refuses or is incapable of SMB signing the connection fails. If defined (explicitly enabled or disabled), this setting overrides “Microsoft network client: Digitally sign communications (if server agrees)”.

If enabled, this setting can cause problems with non Microsoft SMB implementations such as SAMBA. 

Bottom line

Don’t enable this setting unless you want to prevent this computer from connecting to SMB servers that don’t support signing such as some Linux servers.

Back to top

 

Additional Resources