That's not necessarily true... some of the brand spanking new
printers/copiers scanners do indeed not support his.
Soluk, Kirk wrote:
If you disable the SMB signing requirement it means that all your SMB
based DC to member communications will be subject to MITM attacks. The
primary concern here is your group policy download. In short, the SMB
signing requirement provides the assurance that your group policies do
not get tampered with in transit. Similarly, disabling the secure
channel encryption\signing requirement means that you have no guarantees
on all your DC to DC secure channel data (although sensitive information
within the secure channel session (e.g. password derived data) will
always be encrypted.
It makes absolutely no sense to me how an app could be forcing this
issue unless it's really old or running on a SAMBA machine. Is that the
case?
I would push back hard on this. You do not want to take this step
backward. You have to be running some pretty old or insecure stuff to
have to disable these settings - SMB signing was introduced in NT4
Service Pack 3!
Kirk Soluk
University of Michigan
Information Technology Security Services
-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m@subway.com]
Sent: Tuesday, May 03, 2005 3:32 AM
To: focus-ms@securityfocus.com
Subject: To disable SMB packet and secure channel signing enforcement on
Windows Server 2003-based domain controllers
Hi All,
We have had arrival of new scanner/printer/copier in office. It uses SMB
to scan files to shared folders on our W2003 network. In order for it to
work however, I have had to do the following;
1. From Administrative Tools open Domain Controller Security Policy 2.
Smile 3. Select \Security Settings\Local Policies\Security Options
folder. 4. In the details pane, double-click Microsoft network server:
Digitally sign communications (always), and then click Disabled to
prevent SMB packet signing from being required. 5. Click OK. 6. In the
details pane, double-click Domain member: Digitally encrypt or sign
secure channel data (always), and then click Disabled to prevent secure
channel signing from being required. 7. Click OK.
Before that, the scan would fail to be sent to the server in question.
What are the implications of this--given that we do not ostensibly use
SMB for anything else.
I've heard scare stories of SMB man in the middle attacks and was under
the impression that this is what these specific security settings were
pertaining to but am not sure.
There are other options for the scanning ie ftp/email but neither would
work as we cannot get approval for cost of ftp server nor can the email
system take the file sizes that are often req'd by scans our users make.
I can see there will be advice against having shared user folders etc on
DC's too but the big boss wants more from less if you see what I mean.
Kind Regards
Murad Talukdar
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
--
Dear Mr. Aitel:
http://msmvps.com/bradley/archive/2005/04/13/42009.aspx
---------------------------------------------------------------------------
---------------------------------------------------------------------------
