FAQ: is it advisable to only enable SMB signing for domain controllers?

is it advisable to only enable SMB signing for domain controllers? We are considering disabling SMB signing for file and print servers. Would this action help to reduce the risk of attack? QUESTION POSED ON: 13 DEC 2004
QUESTION ANSWERED BY: Kevin Beaver

You should enable SMB signing on all systems to truly secure all Windows communications on your network. In fact, if you don't enable it on all systems, you may experience problems on some clients. It's enabled on Server 2003 by default, but you must enable it manually on all other versions of Windows.

Perform the following steps to enable SMB signing:

Inset the REG_WORD entries 'RequireSecuritySignature' and 'EnableSecuritySignature' with a value of 1 to these registry keys:

Windows NT4 clients: HKLM/SYSTEM/CurrentControlSet/Services/Rdr/Parameters

Windows XP/2000 clients: HKLM/SYSTEM/CurrentControlSet/Services/LanManWorkstation/Parameters

Windows NT4/2000/2003 servers: HKLM/SYSTEM/CurrentControlSet/Services/LanManServer/Parameters

For Samba servers, set "server signing=mandatory" in the smb.conf file.

沒有留言:

張貼留言

注意:只有此網誌的成員可以留言。