How to manually enable SMB signing

Is it advisable to only enable SMB signing for domain controllers? We are considering disabling SMB signing for file and print servers. Would this action help to reduce the risk of attack?

You should enable SMB signing on all systems to truly secure all Windows communications on your network. In fact, if you don't enable it on all systems, you may experience problems on some clients. It's enabled on Server 2003 by default, but you must enable it manually on all other versions of Windows.

Perform the following steps to enable SMB signing:

Inset the REG_WORD entries 'RequireSecuritySignature' and 'EnableSecuritySignature' with a value of 1 to these registry keys:

Windows NT4 clients: HKLM/SYSTEM/CurrentControlSet/Services/Rdr/Parameters

Windows XP/2000 clients: HKLM/SYSTEM/CurrentControlSet/Services/LanManWorkstation/Parameters

Windows NT4/2000/2003 servers: HKLM/SYSTEM/CurrentControlSet/Services/LanManServer/Parameters

For Samba servers, set "server signing=mandatory" in the smb.conf file.

This was first published in December 2004

Dig Deeper on Network intrusion detection and prevention and malware removal



Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: