SMB Signing Required | Computing for Arts + Sciences

SMB Signing Required

UNT IT Security recently acquired a new network vulnerability scanner called Rapid7. It's apparently a lot more thorough than what we were using because we now have a list of changes we have been asked to address. The highest risk change is regarding SMB signing being disabled (or in our case, not required) on all our systems. SMB signing basically allows your computer to validate that the server you're connecting to is the server you expect to be connecting to.

In order to do our part to reduce attack surfaces on systems that we support, we will be enabling SMB signing on all Windows and Apple computers that we support, including servers and clients. This change will go into effect on or after March 1, 2019.

Concern

This change may affect your ability to connect to a device that is not managed by CAS: this may have the inadvertent side effect of not allowing you to connect a network share that doesn't support SMB 2+ or SMB 1 signing. This would be only very old devices, but we cannot test every possible device that you may have in your research lab or your house.

If you are having dificulty finding your H:, R:, and S: drives on your computer, you may need help setting up direct access to file drives.

If you do have issues connecting to a device at UNT, give us a call. We'll work with the owners of that device to get SMB signing enabled. It it's a device at your home or something off-campus, we suggest first contacting the owner of the device. If you are the owner, we suggest you contact the manufacturer for updated firmware/software for the device.

Self-Managed Computers

If you're managing a computer, we ask that you enable SMB signing by

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
    • EnableSecuritySignature (DWORD) 1
    • RequireSecuritySignature (DWORD) 1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
    • EnableSecuritySignature (DWORD) 1
    • RequireSecuritySignature (DWORD) 1

All four settings should likely be enabled (Set to 1) for workstations and servers. This will ensure that everything will use SMB Signing, if possible, but will not break if SMB signing is not possible -- for example when connecting to an older SMB1 device without SMB Signing.

Here's a summary of the effective behavior of SMB2:

Server - Required Server - Not Required
Client - Required Signed Signed
Client - Not Required Signed* Not Signed**

Here's a summary of the effective behavior of SMB1 in current versions of Windows:

Server - Required Server - Enabled Server - Disabled
Client - Required Signed Signed Signed
Client - Enabled Signed* Signed Not Signed**
Client - Disabled Signed Not Signed Not Signed

* Default for Domain Controller SMB traffic.
** Default for all other SMB traffic.

Not configuring this setting could result in your computer become a security risk and being immediately removed from the network.

CAS Support

If you having trouble connecting to a device or server after this is implemented:

  • UNT-managed Device or Service: reach out to us explaining the issue and we'll work with the owners of that device to get SMB signing enabled.
  • Third-party-managed Device or Service:
    1. Contact the manufacturer of the device and see if you can get updated firmware/software for the device.
    2. Reach out to us explaining the issue and we'll see if we can help.