Enforcing SMB packet security
18 views
Skip to first unread message
Mike Leone
May 6, 2025, 3:41:41 PM5/6/25
to NTSysAdmin
So, among a few hundred other things, we got dinged on a security
audit for SMB packet security. Right now, I have a GPO that signs the
packets, if client and server agree:
Computer Policy - Disable SMBv1 and enforce SMB signing
Microsoft network client: Digitally sign communications (if server agrees)
Computer Policy - Disable SMBv1 and enforce SMB signing
Microsoft network server: Digitally sign communications (if client agrees)
Problem is, that policy is only applied to our Servers OU, and not all
client computers (i.e., workstations). If I change to "Digitally sign
communications (always)", which is what the security company wants
(and I agree), don't I have to have all 3 options, AND apply this GPO
to ALL computer objects in the domain? Else the client OSes won't be
able to talk to the server OSes, since the Server OSes will require
signing, but the Client OSes have no setting (at the moment).
Am I missing something?
I'm thinking I apply the current GPO to all computer objects in the
domain today. Then next week, change the option to "Always" for client
and server.
And it should Just Be Transparent. :-)
Yes?
--
Mike. Leone, <mailto:tur...@mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
audit for SMB packet security. Right now, I have a GPO that signs the
packets, if client and server agree:
Computer Policy - Disable SMBv1 and enforce SMB signing
Microsoft network client: Digitally sign communications (if server agrees)
Computer Policy - Disable SMBv1 and enforce SMB signing
Microsoft network server: Digitally sign communications (if client agrees)
Problem is, that policy is only applied to our Servers OU, and not all
client computers (i.e., workstations). If I change to "Digitally sign
communications (always)", which is what the security company wants
(and I agree), don't I have to have all 3 options, AND apply this GPO
to ALL computer objects in the domain? Else the client OSes won't be
able to talk to the server OSes, since the Server OSes will require
signing, but the Client OSes have no setting (at the moment).
Am I missing something?
I'm thinking I apply the current GPO to all computer objects in the
domain today. Then next week, change the option to "Always" for client
and server.
And it should Just Be Transparent. :-)
Yes?
--
Mike. Leone, <mailto:tur...@mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
Wright, John M
May 6, 2025, 4:03:32 PM5/6/25
to ntsys...@googlegroups.com
I would be careful about forcing servers to require SMB signing. When I tried that, I broke scan to file from printers (they didn't support SMB signing). Instead, I had it required by all workstations (and NASes). This effectively covered %99+ of SMB traffic.
I have SMBv1 disabled everywhere.
--
John Wright
IT Support Specialist
1800 Old Bluegrass Avenue, Louisville, KY 40215
502.708.9953
Please submit IT requests to Hazelwoo...@bluegrass.org
24 Hour Helpline 1.800.928.8000
CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bg9gyQTigJrzQ0rDdGTjDYSK5H9vhZNGzF9LU%2BVf74G%3DQ%40mail.gmail.com.
I have SMBv1 disabled everywhere.
--
John Wright
IT Support Specialist
1800 Old Bluegrass Avenue, Louisville, KY 40215
502.708.9953
Please submit IT requests to Hazelwoo...@bluegrass.org
24 Hour Helpline 1.800.928.8000
CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bg9gyQTigJrzQ0rDdGTjDYSK5H9vhZNGzF9LU%2BVf74G%3DQ%40mail.gmail.com.
Kurt Buff
May 6, 2025, 4:22:30 PM5/6/25
to ntsys...@googlegroups.com
I just went through this exercise. I created the GPO and applied it to servers, DCs, workstations, everything.
As John mentioned, you have to be careful that scan-to-file and NAS access is up to the task, and I validated that beforehand, and didn't have any problems.
Well, except for one - there was a server that had a 100% full disk that failed our pen test last week on that metric. But, once the OS disk was expanded and the machine rebooted, it went back to expected state.
My guess is that the full disk prevented the GPO from applying - that's my story and I'm sticking to it, because I asked the tester to scan that machine again after the reboot, and it passed.
Now, as to why the sysadmins didn't catch the full disk, that's a different story - it was that way for a week, apparently. I gave them the naughty-naughty finger wag...
Kurt
Philip Elder
May 6, 2025, 5:16:09 PM5/6/25
to ntsys...@googlegroups.com
Don't DISABLE please REMOVE:
# Remove SMBV1
Remove-WindowsFeature FS-SMB1 -Restart
That's the only true way to guarantee SMBv1 is gone from a network.
To enable SMB Signing all elements port to port need to support it.
At this point, SMBv1 should be gone and SMBv2 should be disabled.
Before setting SMB Signing to mandatory test because something out there will probably break.
Windows to Windows should be fine for file and print sharing along with other roles and services.
The exception to that is SMBv3 for SMB Direct. I'm not 100% sure SMB Signing mandatory will not break the connection.
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
MPECS Inc.
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Sent: Tuesday, May 6, 2025 13:41
To: NTSysAdmin <ntsys...@googlegroups.com>
Subject: [ntsysadmin] Enforcing SMB packet security
# Remove SMBV1
Remove-WindowsFeature FS-SMB1 -Restart
That's the only true way to guarantee SMBv1 is gone from a network.
To enable SMB Signing all elements port to port need to support it.
At this point, SMBv1 should be gone and SMBv2 should be disabled.
Before setting SMB Signing to mandatory test because something out there will probably break.
Windows to Windows should be fine for file and print sharing along with other roles and services.
The exception to that is SMBv3 for SMB Direct. I'm not 100% sure SMB Signing mandatory will not break the connection.
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
MPECS Inc.
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Sent: Tuesday, May 6, 2025 13:41
To: NTSysAdmin <ntsys...@googlegroups.com>
Subject: [ntsysadmin] Enforcing SMB packet security
Mike Leone
May 7, 2025, 8:49:55 AM5/7/25
to ntsys...@googlegroups.com
On Tue, May 6, 2025 at 4:03 PM Wright, John M <John....@newvista.org> wrote:
> I would be careful about forcing servers to require SMB signing. When I tried that, I broke scan to file from printers (they didn't support SMB signing). Instead, I had it required by all workstations (and NASes). This effectively covered %99+ of SMB traffic.
So, does that mean your workstations and NASes are set to require
> I would be careful about forcing servers to require SMB signing. When I tried that, I broke scan to file from printers (they didn't support SMB signing). Instead, I had it required by all workstations (and NASes). This effectively covered %99+ of SMB traffic.
signing, but your servers (such as the file servers that the printers
scan to) do not require signing?
> I have SMBv1 disabled everywhere.
workstation images. I usually do the server images (via VM templates),
so I can remove it from those images.
Wright, John M
May 7, 2025, 8:53:48 AM5/7/25
to ntsys...@googlegroups.com
Yes, signing's required by workstations/NASes but not by servers.
Also, I misspoke when I said disabled. Philip had it right when he said *remove*. (Remove-WindowsFeature FS-SMB1 -Restart)
--
John Wright
IT Support Specialist
1800 Old Bluegrass Avenue, Louisville, KY 40215
502.708.9953
Please submit IT requests to Hazelwoo...@bluegrass.org
24 Hour Helpline 1.800.928.8000
CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.
-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Also, I misspoke when I said disabled. Philip had it right when he said *remove*. (Remove-WindowsFeature FS-SMB1 -Restart)
--
John Wright
IT Support Specialist
1800 Old Bluegrass Avenue, Louisville, KY 40215
502.708.9953
Please submit IT requests to Hazelwoo...@bluegrass.org
24 Hour Helpline 1.800.928.8000
CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.
-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BiFCf_-KtBFV8iU0hem93a6%3D%3Dxo4XFC5yOnxrKhm6py%3DA%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
Mike Leone
May 7, 2025, 8:54:39 AM5/7/25
to ntsys...@googlegroups.com
On Tue, May 6, 2025 at 5:16 PM Philip Elder <Phili...@mpecsinc.ca> wrote:
>
> Don't DISABLE please REMOVE:
>
> # Remove SMBV1
> Remove-WindowsFeature FS-SMB1 -Restart
>
> That's the only true way to guarantee SMBv1 is gone from a network.
OK
>
> Don't DISABLE please REMOVE:
>
> # Remove SMBV1
> Remove-WindowsFeature FS-SMB1 -Restart
>
> That's the only true way to guarantee SMBv1 is gone from a network.
> At this point, SMBv1 should be gone and SMBv2 should be disabled.
> Before setting SMB Signing to mandatory test because something out there will probably break.
>
> Windows to Windows should be fine for file and print sharing along with other roles and services.
FTP (I've asked to have them sent via SCP, if possible, instead).
Since that's not sending to a share, then it's not an SMB packet
anyway, right?
Mike Leone
May 7, 2025, 9:12:42 AM5/7/25
to ntsys...@googlegroups.com
> Don't DISABLE please REMOVE:
>
> # Remove SMBV1
> Remove-WindowsFeature FS-SMB1 -Restart
On my Win 10 workstation:
>
> # Remove SMBV1
> Remove-WindowsFeature FS-SMB1 -Restart
PS C:\WINDOWS\system32> Remove-WindowsFeature FS-SMB1 -Restart
Remove-WindowsFeature : The target of the specified cmdlet cannot be a
Windows client-based operating system.
At line:1 char:1
+ Remove-WindowsFeature FS-SMB1 -Restart
PS C:\WINDOWS\system32> Get-WindowsOptionalFeature -Online
-FeatureName SMB1Protocol
FeatureName : SMB1Protocol
DisplayName : SMB 1.0/CIFS File Sharing Support
Description : Support for the SMB 1.0/CIFS file sharing protocol,
and the Computer Browser protocol.
RestartRequired : Possible
State : Disabled
CustomProperties :
ServerComponent\Description : Support for the SMB
1.0/CIFS file sharing protocol, and the Computer Browser protocol.
ServerComponent\DisplayName : SMB 1.0/CIFS File
Sharing Support
ServerComponent\Id : 487
ServerComponent\Type : Feature
ServerComponent\UniqueName : FS-SMB1
ServerComponent\Deploys\Update\Name : SMB1Protocol
Wright, John M
May 7, 2025, 9:19:53 AM5/7/25
to ntsys...@googlegroups.com
I think it's a bit different for workstations. You may try: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
But I'm not sure whether that's "disable" or "remove."
--
John Wright
IT Support Specialist
1800 Old Bluegrass Avenue, Louisville, KY 40215
502.708.9953
Please submit IT requests to Hazelwoo...@bluegrass.org
24 Hour Helpline 1.800.928.8000
CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.
But I'm not sure whether that's "disable" or "remove."
--
John Wright
IT Support Specialist
1800 Old Bluegrass Avenue, Louisville, KY 40215
502.708.9953
Please submit IT requests to Hazelwoo...@bluegrass.org
24 Hour Helpline 1.800.928.8000
CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.
-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BgTt%2BK3PdwbMAR-%2BCeN7ec3hxm1-hE0B6g4NxPSG3oWHQ%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
Mike Leone
May 7, 2025, 9:44:45 AM5/7/25
to ntsys...@googlegroups.com
On Wed, May 7, 2025 at 9:19 AM Wright, John M <John....@newvista.org> wrote:
>
> I think it's a bit different for workstations. You may try: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
>
> But I'm not sure whether that's "disable" or "remove."
That command works, on my Win 10 VM. Right now, we're rolling out Win
>
> I think it's a bit different for workstations. You may try: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
>
> But I'm not sure whether that's "disable" or "remove."
11, which has SMBv1 off by default. I don't see a way to remove it,
tho.
I can still expand my GPO that disables SMBv1 using registry to
include all client OSes.
Hive HKEY_LOCAL_MACHINE
Key path SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Value name SMB1
Value type REG_DWORD
Value data 0x0 (0)
Reply all
Reply to author
Forward
0 new messages