Now in Windows Insiders, SMB signing is required by default in certain editions. 

Heya folks, Ned here again. Beginning in Windows 11 Insider Preview Build 25381 (Canary, zn_release) Enterprise editions, Windows 11 Insider Preview Build 25905 (Canary) Pro and Education editions, and Windows Server Preview Build 25931 signing is now required by default for all SMB outbound connections. Signing is not yet required by default on Windows 11 Insider Home editions. Furthermore, signing is required for all inbound SMB connections on all Windows 11 Insider editions. Signing is not yet required by default on Windows Server Insider Preview inbound connections (you can of course require it, like the last 25 years of Windows Server).  

This changes legacy behavior, where Windows 10 and 11 required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing when any client connected to them.

Important: if you have found a third-party vendor SMB product that does not support signing or does not enable SMB signing by default, please email wontsignsmb@microsoft.com with direct quote or documentation from the vendor of that product, including their website, knowledgebase, support forums, or other vendor channels. I am building a clearinghouse to help our customers get ahead of this before we ship the feature.

This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:

\n
• The beginning of the end of Remote Mailslots (March 2023)
\n
• SMB insecure guest auth now off by default in Windows Insider Pro editions (January 2023)
\n
• SMB authentication rate limiter now on by default in Windows Insider (September 2022)
\n
• SMB1 now disabled by default for Windows 11 Home Insiders builds (April 2022)
\n

You'll recall the Windows 10 and Windows Server 2019 campaigns against SMB1 and guest auth fallback. Before that, we introduced functionality like encryption and pre-authentication integrity. 

Security is a never-ending quest. 

Tabletop boardgame figures attack a huge red monster

SMB signing 

SMB signing ensures every message contains a signature generated using session key and cipher suite. The client puts a hash of the entire message into the signature field of the SMB header. If anyone changes the message itself later on the wire, the hash won't match and SMB knows that someone tampered with the data. It also confirms to sender and receiver that they are who they say they are, breaking relay attacks. Ideally, you are using Kerberos instead of NTLMv2 so that your session key starts strong; don't connect to shares with IP addresses and don't use CNAME records. Signing is a key defensive tactic. 

Signing algorithms have evolved over time; SMB 2.02 signing was improved with HMAC SHA-256, replacing the old MD5 method from the late 1990s and SMB1. SMB 3.0 added AES-CMAC. In Windows Server 2022 and Windows 11, we added AES-128-GMAC signing acceleration.

Controlling the new signing behavior

All versions of Windows and Windows Server support SMB signing (back to Windows NT!). But a third-party might disable or not support it. If you attempt to connect to a remote share on a third-party SMB server that does not allow SMB signing, you should receive one of the following error messages:

0xc000a000

-1073700864

STATUS_INVALID_SIGNATURE                                      

The cryptographic signature is invalid.

To resolve this issue, configure your third-party SMB server to support SMB signing. This is Microsoft's official recommended guidance. Do not disable SMB signing in Windows or use SMB1 to work around this behavior (SMB1 supports signing but does not enforce it). An SMB device that does not support signing allows interception and relay attacks from malicious parties. I can't speculate what errors a third-party SMB client will throw if it doesn't support signing and then connects to your Windows 11 client, but I'll update this post if someone reports one.

SMB signing will at least slightly reduce the performance of SMB copy operations. No, I cannot tell you how much; it depends entirely on the speed and number of your cores, as well as their utilization from all the other processes vying for their time. You'll need to evaluate against your workloads and decide if those with extremely high performance and latency requirements override the lack of security brought by unsigned traffic. This is no different than the past 30 years of SMB signing, it's just a change in defaults.

To see the current SMB signing settings, run the following PowerShell commands:

Get-SmbServerConfiguration | FL requiresecuritysignature

Get-SmbClientConfiguration | FL requiresecuritysignature

To disable the SMB signing requirement in client (outbound to other devices) connections, run the following PowerShell command as an elevated administrator:

Set-SmbClientConfiguration -RequireSecuritySignature $false

To disable the SMB signing requirement in server (inbound to your Windows 11 Canary Insider Enterprise, Pro, or Education edition device), run the following PowerShell command as an elevated administrator:

Set-SmbServerConfiguration -RequireSecuritySignature $false

With this new behavior, you can no longer examine the registry RequireSecuritySignature settings to know if Windows is requiring signing, because if they don't exist, Windows will still require signing. Any auditing tools that look at the registry could give false information. Use Get-SmbServerConfiguration and Get-SmbClientConfiguration or the CIM classes MSFT_SmbClientConfiguration and MSFT_SmbServerConfiguration and ensure any scripts or auditing tools use them (this has been the right approach for all SMB settings for a decade).

You don't need to reboot but existing SMB connections will still use signing until you close them or restart the device. If you disable the new default requirement for SMB signing with PowerShell or using Group Policy, it won't come back on automatically, it will just return to the legacy behaviors of Windows 11. 

Important: signing (and encryption) also disable guest access. If you need to use guest for some third-party device, you must disable the requirement for signing. Read more on this at SMB Signing and Guest Authentication - Microsoft Community Hub.

Final thoughts

Expect this default change for signing to come to Home edition as well as to Windows Server in their Insider programs. Depending on how things go, it will then start to appear in major releases. 

SMB encryption is far more secure than signing but environments still run legacy systems that don't support SMB 3.0 and later. If I could time travel to the 1990s, SMB signing would've always been on and we'd have introduced SMB encryption much sooner; sadly, I was both in high school and not in charge. We'll continue to push out more secure SMB defaults and many new SMB security options in the coming years; I know they can be painful for application compatibility and Windows has a legacy of ensuring ease of use, but security cannot be left to chance. 

To get the latest Canary Windows insider ISO, visit Download Windows Insider Preview ISO (microsoft.com)

This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:

\n
• SMB alternative ports (November 2023)
\n
• SMB Firewall changes in Windows insider (November 2023)
\n
• SMB over QUIC now available in Windows Server Insider Datacenter and Standard editions (November 2023)
\n
• SMB client encryption mandate now supported in Windows Insider (October 2023)
\n
• SMB over QUIC client access control now supported in Windows Insider (October 2023, updated Nov 2023)
\n
• SMB NTLM blocking (September 2023, updated Nov 2023)
\n
• SMB dialect management (September 2023)
\n
• SMB signing required by default in Windows Insider (June 2023)
\n
• The beginning of the end of Remote Mailslots (March 2023)
\n
• SMB insecure guest auth now off by default in Windows Insider Pro editions (January 2023)
\n
• SMB authentication rate limiter now on by default in Windows Insider (September 2022)
\n
• SMB1 now disabled by default for Windows 11 Home Insiders builds (April 2022)
\n

For more information on securing SMB on Windows in-market, check out:

\n
• SMB security enhancements | Microsoft Learn
\n
• Secure SMB Traffic in Windows Server | Microsoft Learn
\n
• Protect SMB traffic from interception | Microsoft Learn
\n

Until next time,

Ned \"I had Nevermind on cassette\" Pyle

Heya folks, Ned here again. Beginning in Windows 11 Insider Preview Build 25381 (Canary, zn_release) Enterprise editions, Windows 11 Insider Preview Build 25905 (Canary) Pro and Education editions, and Windows Server Preview Build 25931 signing is now required by default for all SMB outbound connections. Signing is not yet required by default on Windows 11 Insider Home editions. Furthermore, signing is required for all inbound SMB connections on all Windows 11 Insider editions. Signing is not yet required by default on Windows Server Insider Preview inbound connections (you can of course require it, like the last 25 years of Windows Server).  

This changes legacy behavior, where Windows 10 and 11 required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing when any client connected to them.

Important: if you have found a third-party vendor SMB product that does not support signing or does not enable SMB signing by default, please email wontsignsmb@microsoft.com with direct quote or documentation from the vendor of that product, including their website, knowledgebase, support forums, or other vendor channels. I am building a clearinghouse to help our customers get ahead of this before we ship the feature.

This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:

\n
• The beginning of the end of Remote Mailslots (March 2023)
\n
• SMB insecure guest auth now off by default in Windows Insider Pro editions (January 2023)
\n
• SMB authentication rate limiter now on by default in Windows Insider (September 2022)
\n
• SMB1 now disabled by default for Windows 11 Home Insiders builds (April 2022)
\n

You'll recall the Windows 10 and Windows Server 2019 campaigns against SMB1 and guest auth fallback. Before that, we introduced functionality like encryption and pre-authentication integrity. 

Security is a never-ending quest. 

Tabletop boardgame figures attack a huge red monster

SMB signing 

SMB signing ensures every message contains a signature generated using session key and cipher suite. The client puts a hash of the entire message into the signature field of the SMB header. If anyone changes the message itself later on the wire, the hash won't match and SMB knows that someone tampered with the data. It also confirms to sender and receiver that they are who they say they are, breaking relay attacks. Ideally, you are using Kerberos instead of NTLMv2 so that your session key starts strong; don't connect to shares with IP addresses and don't use CNAME records. Signing is a key defensive tactic. 

Signing algorithms have evolved over time; SMB 2.02 signing was improved with HMAC SHA-256, replacing the old MD5 method from the late 1990s and SMB1. SMB 3.0 added AES-CMAC. In Windows Server 2022 and Windows 11, we added AES-128-GMAC signing acceleration.

Controlling the new signing behavior

All versions of Windows and Windows Server support SMB signing (back to Windows NT!). But a third-party might disable or not support it. If you attempt to connect to a remote share on a third-party SMB server that does not allow SMB signing, you should receive one of the following error messages:

0xc000a000

-1073700864

STATUS_INVALID_SIGNATURE                                      

The cryptographic signature is invalid.

To resolve this issue, configure your third-party SMB server to support SMB signing. This is Microsoft's official recommended guidance. Do not disable SMB signing in Windows or use SMB1 to work around this behavior (SMB1 supports signing but does not enforce it). An SMB device that does not support signing allows interception and relay attacks from malicious parties. I can't speculate what errors a third-party SMB client will throw if it doesn't support signing and then connects to your Windows 11 client, but I'll update this post if someone reports one.

SMB signing will at least slightly reduce the performance of SMB copy operations. No, I cannot tell you how much; it depends entirely on the speed and number of your cores, as well as their utilization from all the other processes vying for their time. You'll need to evaluate against your workloads and decide if those with extremely high performance and latency requirements override the lack of security brought by unsigned traffic. This is no different than the past 30 years of SMB signing, it's just a change in defaults.

To see the current SMB signing settings, run the following PowerShell commands:

Get-SmbServerConfiguration | FL requiresecuritysignature

Get-SmbClientConfiguration | FL requiresecuritysignature

To disable the SMB signing requirement in client (outbound to other devices) connections, run the following PowerShell command as an elevated administrator:

Set-SmbClientConfiguration -RequireSecuritySignature $false

To disable the SMB signing requirement in server (inbound to your Windows 11 Canary Insider Enterprise, Pro, or Education edition device), run the following PowerShell command as an elevated administrator:

Set-SmbServerConfiguration -RequireSecuritySignature $false

With this new behavior, you can no longer examine the registry RequireSecuritySignature settings to know if Windows is requiring signing, because if they don't exist, Windows will still require signing. Any auditing tools that look at the registry could give false information. Use Get-SmbServerConfiguration and Get-SmbClientConfiguration or the CIM classes MSFT_SmbClientConfiguration and MSFT_SmbServerConfiguration and ensure any scripts or auditing tools use them (this has been the right approach for all SMB settings for a decade).

You don't need to reboot but existing SMB connections will still use signing until you close them or restart the device. If you disable the new default requirement for SMB signing with PowerShell or using Group Policy, it won't come back on automatically, it will just return to the legacy behaviors of Windows 11. 

Important: signing (and encryption) also disable guest access. If you need to use guest for some third-party device, you must disable the requirement for signing. Read more on this at SMB Signing and Guest Authentication - Microsoft Community Hub.

Final thoughts

Expect this default change for signing to come to Home edition as well as to Windows Server in their Insider programs. Depending on how things go, it will then start to appear in major releases. 

SMB encryption is far more secure than signing but environments still run legacy systems that don't support SMB 3.0 and later. If I could time travel to the 1990s, SMB signing would've always been on and we'd have introduced SMB encryption much sooner; sadly, I was both in high school and not in charge. We'll continue to push out more secure SMB defaults and many new SMB security options in the coming years; I know they can be painful for application compatibility and Windows has a legacy of ensuring ease of use, but security cannot be left to chance. 

To get the latest Canary Windows insider ISO, visit Download Windows Insider Preview ISO (microsoft.com)

This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:

\n
• SMB alternative ports (November 2023)
\n
• SMB Firewall changes in Windows insider (November 2023)
\n
• SMB over QUIC now available in Windows Server Insider Datacenter and Standard editions (November 2023)
\n
• SMB client encryption mandate now supported in Windows Insider (October 2023)
\n
• SMB over QUIC client access control now supported in Windows Insider (October 2023, updated Nov 2023)
\n
• SMB NTLM blocking (September 2023, updated Nov 2023)
\n
• SMB dialect management (September 2023)
\n
• SMB signing required by default in Windows Insider (June 2023)
\n
• The beginning of the end of Remote Mailslots (March 2023)
\n
• SMB insecure guest auth now off by default in Windows Insider Pro editions (January 2023)
\n
• SMB authentication rate limiter now on by default in Windows Insider (September 2022)
\n
• SMB1 now disabled by default for Windows 11 Home Insiders builds (April 2022)
\n

For more information on securing SMB on Windows in-market, check out:

\n
• SMB security enhancements | Microsoft Learn
\n
• Secure SMB Traffic in Windows Server | Microsoft Learn
\n
• Protect SMB traffic from interception | Microsoft Learn
\n

Until next time,

Ned \"I had Nevermind on cassette\" Pyle

Now in Windows Insiders, SMB signing is required by default in certain editions. 

email address removed for privacy reasons 

Awesome!!  This was the fix (turning off RequireSecuritySignature in the 24H2 client). 

I can now share files!!!  (been fighting this for days.)
I'm using Windows 11 Home 24H2 on my client computer.  The server is still 23H2.

None of the published remedies for broken file sharing helped at all.  

Thank you thank you thank you!!

          .. LSM

johncoast an excellent question. Pre-auth integrity only protects against downgrade attacks that would disable things like signing requirements. You will still want to use signing or encryption to stop tampering, stealing, etc of the actual SMB payloads. 

NedPyle Thank you for your articles, very useful! I'm trying to understand something : if a network only uses smb 3.1.1 would signing still be an important factor or would pre-authentication integrity guarantee no tampering, no mitm, no credential stealing? 

Secure by default is great!

RetPhoenix yes, signing (and encryption) always disable guest, see SMB Signing and Guest Authentication - Microsoft Community Hub. I will link to this in the signing article too, you shouldn't need to be psychic to find it :). If you turn off signing requirement using steps above, guest will work again.

Please find a player that doesn't require guest and put it on your xmas list! 😄

Is it possible that this new feature disables guest access? I have an external media player on the network that only supports guest access, and since the update I can no longer access this player. Is it possible to disable this security feature?

I use the Insider Preview Build 25905.

I have already enabled the group policy to allow guest access with \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters
AllowInsecureGuestAuth\" with the value 1

Came here to see how you'd incorporated the Descent 2nd Ed image into your article 🙂 

Thanks, this is great!

Thank you NedPyle for sharing this Awesome blogpost with the Community