SMB Message Signing Troubles?

Susan posted this a few days ago, and I just thought it made sense to give it some more attention. SMB Message Signing is one of, if not the most, problematic security setting in Windows. It is commonly used to defeat man-in-the-middle attacks, but getting the settings to match on clients and servers is difficult given that the defaults are somewhat hard to understand. I talked about all this at some length in an article that I wrote last summer. The article was an attempt to clarify the area a bit and help people figure out how to use the setting without disabling communication in their network. While writing the article (and having to explain why the setting was so troublesome to senior execs) I also figured that the only way to solve the problem was to change the way the setting worked. The idea was to remove the ability to disable SMB Message Signing. If a system would always successfully negotiate SMB Message Signing then all the mismatches will go away, leaving you to only have to manage the potential overhead that signing introduces. This, however, would require a change to the behavior of both the redirector (the workstation service) and the server service, which could only be done by patching both components. On August 15, 2006, the hotfix that does exactly that was released. The hotfix is described in KB article 916846. It does exactly what I just said: it ensures that even if SMB Message Signing is disabled on one part to the communication and required on the other, the communication succeeds.

The hotfix does not, as far as I can tell, remove the overhead involved in SMB Message Signing. In small, bursty connections that overhead should be minimal, but in high-volume, long running transactions it could go as high as 40%. This will be addressed in SMBv2 in Windows Vista and Windows Longhorn Server.

 If you can live with the overhead, which you must be able to if you have decided you want SMB Message Signing, but you are having trouble getting the settings to match on all systems, this fix may be just the ticket. If you get it deployed your systems will be much more tolerant to misconfigured settings and your life should get a bit simpler all of a sudden.

Published 24 August 2006 09:57 PM by jesper
Filed under: ,

Comments

# Steven Hill said on 05 September, 2006 05:39 AM
"why the setting was so troublesome to senior execs". Heck, I did not know senior execs even knew about SMB, let alone that they found it troublesome!

Leave a Comment

(required) 
(required) 
(optional)
(required)