The implications of what you've changed is pretty much what you've thought
they are. One thing, however- you *are* using SMB. SMB is not NetBIOS (a lot
of people tend to think that if they disable NetBIOS, they're disabling SMB,
and that's not the case); it is what is used to establish "name-based"
sessions between machines. Basically, nearly any TCP session between
Winboxen is also an SMB session.
So, at the very least, if you can set the SMB packet signing options to
"when possible" (or whatever it says; I'm thinking off the top of my head
and said head is achy right now), then your Windows machines can still
utilize SMB signing but your scanner/printer/copier can still work.
Alternately, contact the vendor of the device to find out if the machine can
be configured to do SMB signing. Finally, no, it's not the end of the world
if you can't use SMB signing. It's just one of the options available to you
to harden your environment. With that said, the fact that you have shares on
your DCs would make me want to lean towards being more conservative and
utilizing SMB signing if at all possible.
My pennies,
Laura
-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m@subway.com]
Sent: Tuesday, May 03, 2005 3:32 AM
To: focus-ms@securityfocus.com
Subject: To disable SMB packet and secure channel signing
enforcement on Windows Server 2003-based domain controllers
Hi All,
We have had arrival of new scanner/printer/copier in office.
It uses SMB to scan files to shared folders on our W2003
network. In order for it to work however, I have had to do
the following;
1. From Administrative Tools open Domain Controller Security
Policy 2. Smile 3. Select \Security Settings\Local
Policies\Security Options folder. 4. In the details pane,
double-click Microsoft network server: Digitally sign
communications (always), and then click Disabled to prevent
SMB packet signing from being required. 5. Click OK. 6. In
the details pane, double-click Domain member: Digitally
encrypt or sign secure channel data (always), and then click
Disabled to prevent secure channel signing from being
required. 7. Click OK.
Before that, the scan would fail to be sent to the server in question.
What are the implications of this--given that we do not
ostensibly use SMB for anything else.
I've heard scare stories of SMB man in the middle attacks and
was under the impression that this is what these specific
security settings were pertaining to but am not sure.
There are other options for the scanning ie ftp/email but
neither would work as we cannot get approval for cost of ftp
server nor can the email system take the file sizes that are
often req'd by scans our users make.
I can see there will be advice against having shared user
folders etc on DC's too but the big boss wants more from less
if you see what I mean.
Kind Regards
Murad Talukdar
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
