Heya folks, Ned here again. Many years ago, we made configuring SMB signing in Windows pretty complicated. Then, years later, we made it even more complicated in an attempt to be less complicated. To...
Updated Nov 09, 2023
Version 14.0
Blog Post
First, let me say this. This message is directed at Microsoft. It is not directed at the many "warrior" admins out there who are doing the best that they can, with what they have available to them. They are doing all they can with the limited resources they have.
I just feel that SMBv1 has been deprecated for so long that it is time to sound the alarm and demand that MS push forward on it. Yet, to this day, I still find it on Windows Server 2012r2 machines and Windows 10 workstations and those 4 settings are often still set to the defaults which means that those machines are all still very vulnerable. And SMBv1 has been deprecated and known as a security weakness for so very, very long that anything that "requires" it obviously is very, very old and should be replaced.
How many Admins do you suppose removed SMBv1 and went to SMBv2 or SMBv3 and then set those two "if agrees" settings to enabled on all their machines (servers and workstations)? It seems to make sense, right? If everything is set to "if agrees" then everything "will agree" with each other and SMB Signing will be implemented everywhere but it won't be "forced" just in case there is some critical rouge SMB1 required machine hiding somewhere. right?... No! Wrong! "If agrees" applies to SMBv1 only. So, those admins are enabling those two settings and accomplishing nothing regarding SMB signing while "thinking" they are making their networks more secure by "enabling" (but not enforcing) SMB signing everywhere on their network.
The only thing worse than "having a security weakness and knowing that it is a current security weakness" is "having a security weakness and believing that it's no longer a security weakness." That's a bad situation. That is why I think MS needs to push further in disallowing SMBv1 and then getting rid of those two "if agrees" settings (that only apply to SMBv1). This can confuse admins and cause their security to remain weak while they think (and are reporting to management) that it has been fixed and strengthened.
I know this could cause problems for some ancient hardware or software (and the "warrior" admins responsible for them) that can implement SMBv1 and cannot implement SMBv2+. But, if that is the case, that hardware or software is simply ancient. No offense meant. It simply is - Ancient. And if it is that ancient, then SMB is probably the least of your concerns regarding the security of that hardware or software. That hardware or software should probably be replaced for more reasons than just SMB and SMB signing issues at this point.
Force SMBv1 and those two "if agrees" settings out. Those who feel any pain from doing this are actually being done a favor by being forced to improve security against this serious attack vector and probably many others on their ancient equipment or software.
I just hope someone in Microsoft sees messages like this and gives it some real consideration. Help your own customers secure their systems correctly and don't leave them thinking that they "locked and secured that door" when they did nothing of the sort.