SMB Signing not required vulnerability in the context of Azure Virtual Desktop

Question

Greetings community,

Working on a vulnerability SMB Signing not required.

The only file share I have is the profile container.
Fulll disclosure, its the first time I have run into this one.

While doing my research what I found is this for the hosts:
HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
Set EnableSecuritySignature to 1.

Will this affect my profile redirection? Is there a better way?

Thanks in advance.

Answer 1

Hello @EDWARD REYESARROYO

Thank you for reaching out to the Microsoft Q&A platform.
Regarding your question, enabling SMB signing by setting the EnableSecuritySignature registry value to 1 on the hosts should not affect profile redirection

Please take a look at the following paragraph extracted from The Basics of SMB Signing (covering both SMB1 and SMB2)

If you decide that you must change the SMB signing settings, the recommendation is to use the “Digitally sign communications (always)” Group Policy setting. If you cannot do it via Group Policy, you could use the “RequireSecuritySignature” registry setting.

IMPORTANT: We no longer recommend using “Digitally sign communications (if client agrees)” or “Digitally sign communications (if server agrees)” Group Policy settings. We also no longer recommend using the “EnableSecuritySignature” registry settings. These options, which only affect the SMB1 behavior, can be effectively replaced by the “Digitally sign communications (always)” Group Policy setting or the “RequireSecuritySignature” registry setting.

Refer to https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing

If I have answered your query, please click "Accept as answer" as a token of appreciation