S 4.334 SMB message signing and Samba

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Version 3 of Samba supports message signing in the Server Message Block (SMB). When SMB message signing is used, a signature is added to every packet. This way, the client knows that the packet comes from the right server and the server knows that the packet comes from the right client. Without SMB message signing, the SMB protocol is susceptible to man-in-the-middle attacks. Microsoft supports SMB message signing in Microsoft Windows NT 4.0 Service Pack 3 (SP3) and higher and in Microsoft Windows 98.

The "client signing" configuration parameter is set to "auto" by default, while the "server signing" parameter is set to "disabled" by default. These default settings in smb.conf match the settings of the Microsoft operating systems for the most part (as stated in the Microsoft Knowledge Base Article #887429). The following differences must be taken into consideration, though:

Microsoft only activates SMB message signing by default on domain controllers, because SMB message signing significantly reduces the performance of the host. When transmitting small quantities of data, the performance loss is generally negligible. However, if large amounts of data are transmitted, the performance may be reduced by up to 50% in some situations.

It is recommended to follow the specifications provided by Microsoft as long as they do not contradict the existing security policies for the information system. If Samba is used as a domain controller, "server signing = yes" should be specified in the configuration file smb.conf. However, if Samba is used exclusively as a file server, the default setting should be left unchanged.

Review questions:

© Federal Office for Information Security. All rights reserved.