SMB Signing not required vulnerability

Question

This regarding below fixes where I need difference between the two fixes and clarifications:

As per the below article, Once I updated Microsoft network server: Digitally sign communications (always). value as Enabled the vulnerability is not seen in my report.

https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always#default-values

But I have performed and executed the below steps and PowerShell commands. Later vulnerability is not seen.

https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3

1. Remove the smb 1.0/cifs file sharing support from Roles & Features.
2. Disable the SMB protocals:
   SMB1- Set-SmbServerConfiguration –EnableSMB1Protocol $false
   SMB2- Set-SmbServerConfiguration –EnableSMB2Protocol $false
3. Check the status of the SMB protocols
   Get-SmbServerConfiguration
   or
   Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
4. To update the registry key of the SMB protocols:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 –Force

I wanted to know the differences between the two procedures, will I apply both the procedure to fix the vulnerability? Because the second procedure which I use is completely disabling the SMB from the server.

Answer 1

Hello,

Thank you so much for posting here.

Microsoft network server: Digitally sign communications (always)
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always#default-values

Microsoft network client: Digitally sign communications (always)
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always

The two articles describe the best practices, location, values, policy management and security considerations for the Microsoft network server(client): Digitally sign communications (always) security policy setting for SMBv3 and SMBv2.

As per my understanding, the above two articles main talk about enable these settings, that is to say, to enable SMBv3 and SMBv2. So the client-side SMB component or server-side SMB componet requires packet signing.

As for this article How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows, it describes how to enable and disable Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3) on the SMB client and server components, using Windows PowerShell or Registry Editor.

We recommend that you do not disable SMBv2 or SMBv3. Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled.

As mentioned, they are doing the same thing. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, SMBv1 is not installed by default.

For more information, we could refer to: https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows

For any question, please feel free to contact us.

Best regards,
Hannah Xiong

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

All these three approaches, GPO, PowerShell and Registry do the same thing. So you don't need to do all three, just pick the one you prefer. GPO is always preferred over PowerShell and direct Registry access.