WinSecWiki > Security Settings > Local Policies > Security Options > Microsoft Network Client > Digitally sign communications (if server agrees)

Microsoft network client: Digitally sign communications (if server agrees)

This setting applies to SMB (Server Message Block) and CIFS (Common Internet File System) traffic. Windows uses SMB or CIFS primarily for file sharing and printer sharing as well a lot of other domain and Windows networking traffic. SMB (port 139) is the older more proprietary file sharing protocol, while CIFS (port 443) is an internet standard.

In 1997 Hobbit published a number of vulnerabilities in SMB including some serious man-in-the-middle attacks. Microsoft made several enhancements to SMB including SMB message signing to combat man-in-the-middle attacks:

Microsoft network client: Digitally sign communications (always)

Microsoft network client: Digitally sign communications (if server agrees)

Microsoft network server: Digitally sign communications (always)

Microsoft network server: Digitally sign communications (if client agrees)

Each Windows system has both an SMB client and server component. The client is the Workstation service and the SMB server is the Server service. The Workstation service is in play when this computer is accessing files, printers or other Windows resources on another computer. The Server service is in play when this computer is sharing folders or printers with other computers; that is when this computer is the server.

When an SMB client tries to connect to an SMB server, the 2 computers negotiate whether or not to use SMB signing.

The 2 “Microsoft network client:” settings above control the Workstation service’s SMB signing behavior and the 2 “Microsoft network server:” controls how the Server service handles SMB signing.

This setting, “Microsoft network client: Digitally sign communications (if server agrees)”, when enabled, causes the Workstation service to request SMB signing. If the Server refuses or is incapable of SMB signing the connection will still succeed but of course without signing. If enabled “Microsoft network client: Digitally sign communications (always)” is defined (explicitly enabled or disabled), Windows ignores this setting.

Bottom line

Enable this setting so that Windows to Windows computers will negotiate signing and thus protect against man-in-the-middle attacks. The only counter-indications for this setting is if the performance hit is too great. Microsoft says this can cause a 15% performance hit in file sharing traffic. If this does cause a problem consider how much of a risk man-in-the-middle attacks are for your network.

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

Microsoft Network Client

•	Digitally sign communications (always)
•	Digitally sign communications (if server agrees)
•	Send unencrypted password to third-party SMB servers

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.