Configure SMB signing in Windows NT

It is possible to configure WinNT SP3+ to increase the network security by enabling SMB signing, though enabling it will cause a performance hit because the security requires extra processing.

Server Signing in WinNT4/2k/XP :

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \LanManServer \Parameters]
EnableSecuritySignature = 0 (Disabled = 0, Enabled = 1)
RequireSecuritySignature= 0 (Disabled = 0, Enabled = 1)

Client Signing in WinNT4 SP3+ :

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \Rdr \Parameters]
EnableSecuritySignature = 0 (Disabled = 0, Enabled = 1)
RequireSecuritySignature= 0 (Disabled = 0, Enabled = 1)

Client Signing in Win2k/XP :

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \LanManWorkstation \Parameters]
EnableSecuritySignature = 0 (Disabled = 0, Enabled = 1)
RequireSecuritySignature= 0 (Disabled = 0, Enabled = 1)

Note the standard policy for Domain Controllers and Windows 2003 is to use SMB Signing, so if using such device as a fileserver in a trusted network, then one might consider disabling SMB Signing.

Note one might experience "Delayed Write Failed"-errors when saving/writing to files on network share. This is caused by an error in SMB signing and it can be fixed by updating Win2k and WinXP according to this article. More Info MS KB814112. Another solution is to set EnableSecuritySignature = 0.

Note to disable SMB Signing for all Domain Controllers in an Active Directory:
  1. Open Active Directory Users and Computers
  2. In the console tree, right-click Domain Controllers and click Properties
  3. Select the Group Policy tab.
  4. Click Default Domain Controllers Policy and click Edit
  5. Under Security Options right-click Microsoft network server: Digitally sign communications (Always) and select properties
  6. Set it to disabled
Related Description of SMB Signing
Related TCPIP nagle algorithm can slow down network with SMB signing

More info MS KB161372
More info MS KB199714
More info MS KB321169
More info MS KB811497
More info MS KB814112
More info MS KB839499
More info MS KB887429

Credits www.jsifaq.com

Updated: 23 September 2007

Leave a Reply

Your email address will not be published. Required fields are marked *