Microsoft network server: Digitally sign communications (if client agrees)ID: oval:org.secpod.oval:def:22541 | Date: (C)2015-01-07 (M)2023-07-14 |
Class: COMPLIANCE | Family: windows |
This security setting determines whether packet signing is required by the SMB client component.
The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
Default: Disabled.
Important
For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees).
Computers that have this policy set will not be able to communicate with computers that do not have server-side packet signing enabled. By default, server-side packet signing is enabled only on domain controllers running Windows 2000 and later.
Server-side packet signing can be enabled on computers running Windows 2000 and later by setting Microsoft network server: Digitally sign communications (if client agrees)
Server-side packet signing can be enabled on computers running Windows NT 4.0 Service Pack 3 and later by setting the following registry value to 1:
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
Server-side packet signing cannot be enabled on computers running Windows 95 or Windows 98.
Fix:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options!Microsoft network server: Digitally sign communications (if client agrees)
(2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters!enablesecuritysignature
Platform: |
Microsoft Windows 8.1 |