Heya folks, Ned here again. Many years ago, we made configuring SMB signing in Windows pretty complicated. Then, years later, we made it even more complicated in an attempt to be less complicated. To...
Updated Nov 09, 2023
Version 14.0
Blog Post
1. What SMB version(s) do the Linux/Unix devices support - are any of them only using SMB1?
For your entire Windows Server and client environment, setting the following on your Servers OU will have no compatibility issues and will be the most secure, but will impart some level of performance hit.
Microsoft network server: Digitally sign communications (always) = Enabled
Setting the following on your Servers OU will also ensure that your servers, when acting as an SMB client to connect elsewhere, are also more secure but may also impact performance. And if they are connecting to UNIX/Linux machines that don't support SMB2 or later, it will have no effect. You can use the "if agrees" settings in those cases but it's very defeatable; the real answer is to ensure there is NO use of SMB1 anywhere in your environment and then the "if agrees" settings become totally irrelevant.
Microsoft network client: Digitally sign communications (always) = Enabled
2. I'm sure third parties will sell you something, and you can use Performance Monitor in Windows to do this. But really, it comes down to if security is the top priority or not. If you do, the performance hit of signing or encryption in any protocol doesn't matter because it's a secondary goal.
3. The benchmarks from someone else don't matter, which is why I don't publish them. The hardware, workload, and congestion are all different in every case. You have to benchmark your own environment, which is unlike any other in the world.
NedPyleI don't quite understand your comment above "And if they are connecting to UNIX/Linux machines that don't support SMB2 or later, it will have no effect."
From what I've read above the security option "Microsoft network client: Digitally sign communications (always) = Enabled", which you are referring to, and that equates to
"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters\RequireSecuritySignature = 1", is read by SMBv1, SMBv2 and SMBv3 clients. So doesn't that mean if the server in the OU is talking as a client, to a Linux server that supports only SMBv1, it will enforce signing, and therefore will have an effect?
