WinSecWiki > Security Settings > Local Policies > Security Options > Microsoft Network Server > Digitally sign communications (always)
Microsoft network server: Digitally sign communications (always)
This setting applies to SMB (Server Message Block) and CIFS (Common Internet File System) traffic. Windows uses SMB or CIFS primarily for file sharing and printer sharing as well a lot of other domain and Windows networking traffic. SMB (port 139) is the older more proprietary file sharing protocol, while CIFS (port 443) is an internet standard.
In 1997 Hobbit published a number of vulnerabilities in SMB including some serious man-in-the-middle attacks. Microsoft made several enhancements to SMB including SMB message signing to combat man-in-the-middle attacks:
- Microsoft network server: Digitally sign communications (always)
Each Windows system has both an SMB client and server component. The client is the Workstation service and the SMB server is the Server service. The Workstation service is in play when this computer is accessing files, printers or other Windows resources on another computer. The Server service is in play when this computer is sharing folders or printers with other computers; that is when this computer is the server.
When an SMB client tries to connect to an SMB server, the 2 computers negotiate whether or not to use SMB signing.
The 2 “Microsoft network client:” settings above control the Workstation service’s SMB signing behavior and the 2 “Microsoft network server:” controls how the Server service handles SMB signing.
This setting, “Microsoft network server: Digitally sign communications (always)”, when enabled, forces the Server service to demand SMB signing. If the client refuses or is incapable of SMB signing the connection fails. If defined (explicitly enabled or disabled), this setting overrides “Microsoft network server: Digitally sign communications (if client agrees)”.
If enabled, this setting can cause problems with non Microsoft SMB implementations such as SAMBA.
Bottom line
Don’t enable this setting unless you want to prevent this computer from accepting SMB clients that don’t support signing such as some Linux systems.
Back to top