Export (0) Print
Expand All
3 out of 14 rated this helpful - Rate this topic

Require SMB Security Signatures

Applies To: Windows Server 2008 R2, Windows Server 2012

On this page, you supply information about the selected server and the clients with which it communicates.

This security setting determines whether packet signing is required by the server message block (SMB) server component.

The SMB protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To help prevent attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted.

If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing.

noteNote
All Windows operating systems support both a client-side SMB component and a server-side SMB component. To take advantage of SMB packet signing, both the client-side SMB component and server-side SMB component that are involved in a communication must have SMB packet signing either enabled or required.

If server-side SMB signing is required, a client will not be able to establish a session with that server unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers.

Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.

ImportantImportant
Using SMB packet signing can degrade performance up to 15 percent on file service transactions.

Registry key

  • HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature

Associated security setting

  • Microsoft network server: Digitally sign communications (always)

Providing inaccurate information might disrupt communication between the selected server and other computers on the network.

For more information about this security setting, see "Microsoft network server: Digitally sign communications (always)" (http://go.microsoft.com/fwlink/?LinkId=91043).

Additional references

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.