Windows: SMB Signing required soon (now available in Windows 11 Insider Preview)

Windows[German]Microsoft will require the so-called SMB signing (through security signatures) in Windows 11 and later also in Windows 10. This is supposed to protect systems in enterprise environments against NTLM relay attacks. The feature in question is being rolled out immediately in Windows 11 (Enterprise Edition) for Windows Insiders in the Canary Channel. Later, this feature will also be ported back to older Windows versions (Windows 11 21H2 and Windows 10).k portiert werden).

As of June 2, 2023, Microsoft has released Windows 11 Insider Preview Build 25381 (see the post Announcing Windows 11 Insider Preview Build 25381 in Windows blog). The following passage can be found in the list of changes:

SMB signing requirement changes

Beginning with Windows 11 Insider Preview Build 25381 Enterprise editions, SMB signing is now required by default for all connections. This changes legacy behavior, where Windows 10 and 11 required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing when any client connected to them. This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape.

So Microsoft starts immediately with requiring SMB signing for network connections in Windows 11 Enterprise (Insider Preview).

If there are issues

Windows and Windows Server support SMB signing for network connections in all versions. However, a third-party vendor may disable or not support this feature. When users attempt to connect to a remote share on a third-party SMB server that does not allow SMB signing, they may receive one of the following error messages:

  • 0xc000a000
  • -1073700864
  • STATUS_INVALID_SIGNATURE
  • The cryptographic signature is invalid.

To fix this problem, configure the third-party SMB servers to support SMB signing, Microsoft writes. Microsoft advises against disabling SMB signing in Windows or using SMB1 to work around this behavior (SMB1 supports signing but does not enforce it).

This change is part of Microsoft's to increase the security of systems and network connections. because an SMB device that does not support signing allows eavesdropping and forwarding attacks by malicious actors.

Ned Pyle has published the Techcommunity post SMB signing required by default in Windows Insider on this topic. Forcing SMB signing is happening first for Windows 11 Enterprise edition in the Insider Preview, but will be rolled out later for Windows 11 and Windows 10.

Microsoft writes that SMB signing can reduce the performance of SMB copy operations. This can be mitigated with more physical CPU cores or virtual CPUs, as well as newer, faster CPUs. The current SMB signing settings can be viewed in an administrative shell with the following PowerShell commands:

Get-SmbServerConfiguration | fl requiresecuritysignature
Get-SmbClientConfiguration | fl requiresecuritysignature

To disable SMB signing in client connections (outbound to other devices), the following PowerShell command can be used in an administrative PowerShell environment.

Set-SmbClientConfiguration -RequireSecuritySignature $false

To disable the SMB signing requirement on the server (on Windows 11 Insider Preview build 25381 and later with Enterprise edition devices), run the following PowerShell command as an administrator with administrative privileges:

Set-SmbServerConfiguration -RequireSecuritySignature $false

No restart is required, but existing SMB connections will continue to be signed until they are closed. (via)

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *