SMB Signing not required vulnerability

Fahrid F 186 Reputation points
2020-10-01T06:15:26.28+00:00

This regarding below fixes where I need difference between the two fixes and clarifications:

As per the below article, Once I updated Microsoft network server: Digitally sign communications (always). value as Enabled the vulnerability is not seen in my report.

https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always#default-values

But I have performed and executed the below steps and PowerShell commands. Later vulnerability is not seen.

https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3

  1. Remove the smb 1.0/cifs file sharing support from Roles & Features.
  2. Disable the SMB protocals:
    SMB1- Set-SmbServerConfiguration –EnableSMB1Protocol $false
    SMB2- Set-SmbServerConfiguration –EnableSMB2Protocol $false
  3. Check the status of the SMB protocols
    Get-SmbServerConfiguration
    or
    Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
  4. To update the registry key of the SMB protocols:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 –Force
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 –Force

I wanted to know the differences between the two procedures, will I apply both the procedure to fix the vulnerability? Because the second procedure which I use is completely disabling the SMB from the server.

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,321 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,749 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,684 questions
{count} votes

Accepted answer
  1. Hannah Xiong 6,221 Reputation points
    2020-10-02T06:18:11.713+00:00

    Hello,

    Thank you so much for posting here.

    Microsoft network server: Digitally sign communications (always)
    https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always#default-values

    Microsoft network client: Digitally sign communications (always)
    https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always

    The two articles describe the best practices, location, values, policy management and security considerations for the Microsoft network server(client): Digitally sign communications (always) security policy setting for SMBv3 and SMBv2.

    As per my understanding, the above two articles main talk about enable these settings, that is to say, to enable SMBv3 and SMBv2. So the client-side SMB component or server-side SMB componet requires packet signing.

    As for this article How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows, it describes how to enable and disable Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3) on the SMB client and server components, using Windows PowerShell or Registry Editor.

    We recommend that you do not disable SMBv2 or SMBv3. Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled.

    As mentioned, they are doing the same thing. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, SMBv1 is not installed by default.

    For more information, we could refer to: https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Vadims Podāns 8,856 Reputation points MVP
    2020-10-01T06:47:24.917+00:00

    All these three approaches, GPO, PowerShell and Registry do the same thing. So you don't need to do all three, just pick the one you prefer. GPO is always preferred over PowerShell and direct Registry access.