WinSecWiki > Security Settings > Local Policies > Security Options > Microsoft Network Server > Digitally sign communications (if client agrees)

Microsoft network server: Digitally sign communications (if client agrees)

This setting applies to SMB (Server Message Block) and CIFS (Common Internet File System) traffic. Windows uses SMB or CIFS primarily for file sharing and printer sharing as well a lot of other domain and Windows networking traffic. SMB (port 139) is the older more proprietary file sharing protocol, while CIFS (port 443) is an internet standard. 

In 1997 Hobbit published a number of vulnerabilities in SMB including some serious man-in-the-middle attacks. Microsoft made several enhancements to SMB including SMB message signing to combat man-in-the-middle attacks:

  • Microsoft network server: Digitally sign communications (if client agrees)

Each Windows system has both an SMB client and server component. The client is the Workstation service and the SMB server is the Server service. The Workstation service is in play when this computer is accessing files, printers or other Windows resources on another computer. The Server service is in play when this computer is sharing folders or printers with other computers; that is when this computer is the server. 

When an SMB client tries to connect to an SMB server, the 2 computers negotiate whether or not to use SMB signing.

The 2 “Microsoft network client:” settings above control the Workstation service’s SMB signing behavior and the 2 “Microsoft network server:” controls how the Server service handles SMB signing.

This setting, “Microsoft network server: Digitally sign communications (if client agrees)”, when enabled, causes the Server service to request SMB signing. If the client refuses or is incapable of SMB signing the connection will still succeed but of course without signing. If enabled “Microsoft network server: Digitally sign communications (always)” is defined (explicitly enabled or disabled), Windows ignores this setting. 

Bottom line

Enable this setting so that Windows to Windows computers will negotiate signing and thus protect against man-in-the-middle attacks. The only counter-indications for this setting is if the performance hit is too great. Microsoft says this can cause a 15% performance hit in file sharing traffic. If this does cause a problem consider how much of a risk man-in-the-middle attacks are for your network.

Back to top

 

Additional Resources