Have you collected a network trace to see what is actually occurring?
Thanks, Brian Desmond [email protected]<mailto:[email protected]> w – 312.625.1438 | c – 312.731.3132 From: [email protected] [mailto:[email protected]] On Behalf Of Charles F Sullivan Sent: Friday, July 11, 2014 1:27 PM To: [email protected] Subject: RE: [NTSysADM] SMB Signing Confusion What I’m saying is that despite the fact that I am forcing it at the client end, I can still connect to servers that do not have it enabled at all. In other words, these are the server settings: MS network server: “Digitally sign communications (always)” and “Digitally sign communications (if client agrees)” both Disabled. Unless I’m missing something, I should not be able to access those servers via SMB. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Ben Scott Sent: Friday, July 11, 2014 12:43 PM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] SMB Signing Confusion Server != client. You need to enable the options to sign communications for both servers and clients. You need to apply that to both servers and clients. I think there is also an option to require signing you will want enabled (I don't have a reference convenient to me now). -- Ben On Jul 11, 2014 11:19 AM, "Charles F Sullivan" <[email protected]<mailto:[email protected]>> wrote: I am looking into forcing SMB signing per the CSO’s request. Can anyone explain this behavior? On a Windows 7 client, I set it to force SMB signing (MS network client: “Digitally sign communications (always)” and “Digitally sign communications (if server agrees)” both Enabled. I did this in the Local Security Policy and I confirmed that there are *no* GPOs which would override this. Despite this setting, I can access every Windows server that I have tried (Windows 2003, 2008 R2, 2012, 2012 R2). All of the servers have the default setting of SMB signing disabled (MS network server: “Digitally sign communications (always)” and “Digitally sign communications (if client agrees)” both Disabled. Again, I confirmed that there are *no* GPOs which would override this. Does anyone have an explanation for this? I can’t think of what I might be missing. Thanks.
