SMB: Digitally signed communication should be required or disabled

Updated: November 17, 2010

Applies To: Windows Server 2008 R2

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the File Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2

Product/Feature

File Services

Severity

Warning

Category

Security

Issue

Digitally signed communication for file, print, and named-pipe sharing is enabled, but not required.

Impact

Computers are allowed to use unsigned sessions to communicate with the server, circumventing this security measure. This is a security risk because a malicious user could use a man-in-the-middle attack to intercept unsigned network communications.

Digitally signed communication decreases the performance of the server due to the extra overhead.

Resolution

On servers that host highly sensitive shared folders and printers, enable the Microsoft network server: Digitally sign communications (always) policy setting. On servers that do not host sensitive data, disable digital signing.

Use Local Security Policy on a server to configure this Group Policy setting. The default configuration for the Group Policy setting Microsoft network server: Digitally sign communications (always) is as follows:

  • Disabled for member servers.

  • Enabled for domain controllers.

Membership in Administrators, or equivalent, is the minimum required to complete this procedure.

To enable digitally signed communication on a server

  1. In Administrative Tools, click Local Security Policy.

  2. In the console tree click Local Policies, and then click Security Options.

  3. Locate the policy Microsoft network server: Digitally sign communications (always), right-click the policy, and click Properties.

  4. In Local Security Setting click Enabled, and then click OK.