Go to Advice start page

SMB Protection Requires Careful Setup

Server Message Blocks, or SMBs, are the life blood of Windows Networking. On high security networks, you can create secure channels between the server and client, to ensure security of SMBs. You can provide authentication (digital signing) and / or encryption (digital encryption) of SMBs, similar in nature to WPA, as used in WiFi security.

However, just as WiFi connectivity being prevented by improper setup of WPA, necessary use of Windows Networking can be prevented by by improper setup of SMB protection. Both SMB Encryption and Signing must be setup consistently on your network. If any of your clients don't support either protection, it's best that you don't require it on your servers.

When you try to connect a Windows client computer to a server, you may see:

The account is not authorized to log in from this station.
If a server requires SMB encryption or signing, all workstations must provide it, if they are going to connect to that server. SMB Signing has been supported since Windows 98 and NT V4.0. Non-Windows operating systems, such as Apple and Linux / Unix, may or may not support SMB Signing. Be consistent in your LAN, however you choose to set it up.

For computers in a workgroup, you configure SMB Encryption and Signing using the Local Security Policy editor. For computers in a domain, the Local Security Policy editor is available, but settings may be overridden by Group Policy.

You will have settings for both the server (incoming SMBs) and the workstation (outgoing SMBs), and settings for encryption (to prevent snooping) and signing (to prevent spoofing). You'll find settings under Local Policies - Security Options. Domain member, Microsoft network client, and Microsoft network server Policy Categories all contain relevant settings.

Note both server and workstation services, and thus these settings, apply to most Windows computers. And note the difference between Enabling SMB Signing (where both computers that enable SMB Signing, and those that don't, will be able to connect to each other) and Requiring SMB Signing (where only computers that enable SMB Signing will be able to connect to each other).

For more detail, see:
▲ Top