Configure SMB Signing with Confidence

Karl-WE ; ToddAlbers_Summit 

Hello, as all Microsoft IT pros out here (and even more as I focus on system security since many years) I surely want to get rid of SMB1 whenever wherever.

In fact, it's one of my top priority during filer/print server/AD migrations.

Thing is, we are facing people (ie hardware manufacturers, developers) who are absolutely clueless about IT security.

First, because it is not in their culture. Something like Secure Development Lifecycle is sci-fi to them. Some don't even know it exists.

Second, because it will increase costs for them. By a lot. Especially if they need to rewrite 30 year-old apps.

Third, because they dont really need to care - when you sell thousand dollars worth of equipment to a customer, and this customer has no choice (because without said equipment, he just cannot work), why bother ? He is gonna buy it anyway...

We are living in a world where specialized IT (ie, industrial, medical, business lines etc.) is making itself known to standard IT, after living by itself in the basement for dozen of years.

Thing is, standard IT has processes like ITIL, security guidances, ITSM, knowledgeable people about security and industrialization etc...

Specialized IT starts with none of that. And that means staff and third-party hardware/software providers too.

About those registry keys - I'm OK with "secure by default" and "highest security whenever possible by default" mantras.

If unsupported (that's critical) registry keys exist to bypass it, so be it. I can live with that : I got a very dirty workaround, but a workaround nonetheless - and it helps avoiding blocking migration projects right away (which main purpose is to improve things, including security). Also, I can tell my customer : "It's a very, very bad idea Mr Customer, if we do that because you want it, then that's your responsibility".