No, but that’s what I plan to do next.
Thanks. *From:* [email protected] [mailto: [email protected]] *On Behalf Of *Brian Desmond *Sent:* Friday, July 11, 2014 3:18 PM *To:* [email protected] *Subject:* RE: [NTSysADM] SMB Signing Confusion *Have you collected a network trace to see what is actually occurring?* *Thanks,* *Brian Desmond* *[email protected] <[email protected]>* *w – 312.625.1438 | c – 312.731.3132* *From:* [email protected] [ mailto:[email protected] <[email protected]>] *On Behalf Of *Charles F Sullivan *Sent:* Friday, July 11, 2014 1:27 PM *To:* [email protected] *Subject:* RE: [NTSysADM] SMB Signing Confusion What I’m saying is that despite the fact that I am forcing it at the client end, I *can* still connect to servers that do not have it enabled at all. In other words, these are the server settings: MS network server: “Digitally sign communications (always)” and “Digitally sign communications (if client agrees)” both *Disabled*. Unless I’m missing something, I should not be able to access those servers via SMB. *From:* [email protected] [mailto: [email protected]] *On Behalf Of *Ben Scott *Sent:* Friday, July 11, 2014 12:43 PM *To:* [email protected] *Subject:* Re: [NTSysADM] SMB Signing Confusion Server != client. You need to enable the options to sign communications for both servers and clients. You need to apply that to both servers and clients. I think there is also an option to require signing you will want enabled (I don't have a reference convenient to me now). -- Ben On Jul 11, 2014 11:19 AM, "Charles F Sullivan" <[email protected]> wrote: I am looking into forcing SMB signing per the CSO’s request. Can anyone explain this behavior? On a Windows 7 client, I set it to force SMB signing (MS network client: “Digitally sign communications (always)” and “Digitally sign communications (if server agrees)” both Enabled. I did this in the Local Security Policy and I confirmed that there are **no** GPOs which would override this. Despite this setting, I can access every Windows server that I have tried (Windows 2003, 2008 R2, 2012, 2012 R2). All of the servers have the default setting of SMB signing disabled (MS network server: “Digitally sign communications (always)” and “Digitally sign communications (if client agrees)” both Disabled. Again, I confirmed that there are **no** GPOs which would override this. Does anyone have an explanation for this? I can’t think of what I might be missing. Thanks.
