WinSecWiki > Security Settings > Local Policies > Security Options > Microsoft Network Client > Digitally sign communications (always)

Microsoft network client: Digitally sign communications (always)

This setting applies to SMB (Server Message Block) and CIFS (Common Internet File System) traffic. Windows uses SMB or CIFS primarily for file sharing and printer sharing as well a lot of other domain and Windows networking traffic. SMB (port 139) is the older more proprietary file sharing protocol, while CIFS (port 443) is an internet standard.

In 1997 Hobbit published a number of vulnerabilities in SMB including some serious man-in-the-middle attacks. Microsoft made several enhancements to SMB including SMB message signing to combat man-in-the-middle attacks:

Microsoft network client: Digitally sign communications (always)

Microsoft network client: Digitally sign communications (if server agrees)

Microsoft network server: Digitally sign communications (always)

Microsoft network server: Digitally sign communications (if client agrees)

Each Windows system has both an SMB client and server component. The client is the Workstation service and the SMB server is the Server service. The Workstation service is in play when this computer is accessing files, printers or other Windows resources on another computer. The Server service is in play when this computer is sharing folders or printers with other computers; that is when this computer is the server.

When an SMB client tries to connect to an SMB server, the 2 computers negotiate whether or not to use SMB signing.

The 2 “Microsoft network client:” settings above control the Workstation service’s SMB signing behavior and the 2 “Microsoft network server:” controls how the Server service handles SMB signing.

This setting, “Microsoft network client: Digitally sign communications (always)”, when enabled, forces the Workstation service to demand SMB signing. If the Server refuses or is incapable of SMB signing the connection fails. If defined (explicitly enabled or disabled), this setting overrides “Microsoft network client: Digitally sign communications (if server agrees)”.

If enabled, this setting can cause problems with non Microsoft SMB implementations such as SAMBA.

Bottom line

Don’t enable this setting unless you want to prevent this computer from connecting to SMB servers that don’t support signing such as some Linux servers.

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

Microsoft Network Client

•	Digitally sign communications (always)
•	Digitally sign communications (if server agrees)
•	Send unencrypted password to third-party SMB servers

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.