Is it advisable to only enable SMB signing for domain controllers? We are considering disabling SMB signing for file and print servers. Would this action help to reduce the risk of attack?
You should enable SMB signing on all systems to truly secure all Windows communications on your network. In fact, if you don't enable it on all systems, you may experience problems on some clients. It's enabled on Server 2003 by default, but you must enable it manually on all other versions of Windows.
Perform the following steps to enable SMB signing:
Inset the REG_WORD entries 'RequireSecuritySignature' and 'EnableSecuritySignature' with a value of 1 to these registry keys:
Windows NT4 clients: HKLM/SYSTEM/CurrentControlSet/Services/Rdr/Parameters
Windows XP/2000 clients: HKLM/SYSTEM/CurrentControlSet/Services/LanManWorkstation/Parameters
Windows NT4/2000/2003 servers: HKLM/SYSTEM/CurrentControlSet/Services/LanManServer/Parameters
For Samba servers, set "server signing=mandatory" in the smb.conf file.
This was first published in December 2004