Heya folks, Ned here again. Many years ago, we made configuring SMB signing in Windows pretty complicated. Then, years later, we made it even more complicated in an attempt to be less complicated. To...
Updated Nov 09, 2023
Version 14.0
Blog Post
Hi tdrob28,
I had replied earlier today, but for one reason or another my reply seems to be gone 😕 I'm gonna try again 🙂
With the settings you've mentioned we get this:
* pre-"SMB 2.0.2": enabled, but not required, which should be interpreted here as "use signing wherever possible".
* From SMB 2.0.2 onwards: enabled, but not required, which should be interpreted here as "use signing when at least 1 of both parties requires it".
("Enabled, but not required" is not MS terminology, these are just my wordings.)
For completeness these are all the possible combinations and their behavior:
Pre-"SMB 2.0.2" on pre-“Windows Vista SP1/WS08” | Server - required | Server - enabled, but not required | Server - disabled |
Client - required | J | J | - |
Client - enabled, but not required | J | J | N |
Client - disabled | - | N | N |
Pre-"SMB 2.0.2" on "Windows Vista SP1/WS08"+ | Server - required | Server - enabled, but not required | Server - disabled |
Client - required | J | J | J |
Client - enabled, but not required | J | J | N |
Client - disabled | J | N | N |
From SMB 2.0.2 | Server - required | Server - not required |
Client - required | J | J |
Client - not required | J | N |
Meanings (GP -> tables above):
- “Always” = required
- “if agrees” = enabled
(You can notice how the definition of words may differ. E.g., "disabled" doesn't necessarily mean SMB signing cannot occur, although at first you would expect so intuitively... In the 1st table you can see this "disabled" always means "no signing", in the 2nd table you can notice how this interpretaion has been changed.)
As you can deduce, with your settings you haven't disabled SMB signing for SMB 2+ in se, but in most environments no signing will occur. Let me elaborate on this one a bit. If a system which is susceptible to "your" settings talks over SMB 2+ to many systems which do have SMB signing required (Windows or non-Windows systems), then you still have a lot of SMB 2+ signing going on. If this is a rarity however (for example, because 500 systems have your settings and there are no or almost no other systems with SMB 2+ required in the rest of your environment, then in reality you won't notice SMB signing at all/a lot. But technically SMB 2+ signing is not disabled.
If wou want SMB 2+ signing in every possible situation to actually happen, then you need to enable "Microsoft network client: Digitally sign communications (always)" and "Microsoft network server: Digitally sign communications (always)" for every Windows system out there. But this COULD come at a cost: failed SMB pre-2.0.2 connections, although only on non-Windows systems with SMB signing 100% disabled or Windows or non-Windows systems where SMB signing is not available at all (for Windows this means versions older than Windows NT 4.0 SP3 and Windows 98).
Regards,
Pedro