Use SMB message signing and session security for NTLM

Hardening Windows Systems Get a glimpse inside Roberta Bragg's book "Hardening Windows Systems" with this series of book excerpts. Below is the introductory excerpt from Chapter 11, "Harden Communications." Click for the complete book excerpt series or purchase the book.


Use SMB Message Signing and Session Security for NTLM

Server Message Block (SMB) is the protocol used for file sharing and other communications between Windows computers. It is the basis for NetBIOS communications. SMB signing guarantees the origination of the communication. It is enabled by default on Windows Server 2003 computers but must be configured on the other Windows OSs. Once configured, SMB signing is negotiated during the connection request and systems that cannot use SMB signing may not be able to communicate with those that can. Two different types of configuration can be configured. First, and most effective, is to configure both server and client to always require SMB signing. Alternatively, signing can be established by mutual agreement.

NTLM Session security allows encryption (confidentiality) and integrity to be configured.

HEADS UP!
When SMB signing is required, legacy operating systems and some legacy programs will not be able to communicate. There may also be compatibility issues between later versions of Windows. For example, the KB article 823659 indicates that the secure channel of a trust between Windows NT 4.0 and Windows Server 2003 cannot be reset, that copying files between Windows XP and Windows Server 2003 will be much slower, and that you will not be able to map a network drive from the client.

Configure Message Signing Using Group Policy

To configure SMB message signing in Windows Server 2003, Windows XP, and Windows 2000, use the following Group Policy options:

  • Microsoft Network client: Digitally sign communications (always)

  • Microsoft Network client: Digitally sign communications (if server agrees)

  • Microsoft Network server: Digitally sign communications (always)

  • Microsoft Network server: Digitally sign communications (if client agrees)

Configure Message Signing Using Registry Entries

To configure client-side SMB message signing in Windows NT 4.0 post service pack 3, and in Windows 95/98 computers running the Directory Services client, add the REG_DWORD registry value RequireSecuritySignature or EnableSecuritySignature and set the value to 1. To disable SMB signing, set the value to 0. The value location is the registry path 

HKEY_LOCAL_MACHINESYSTEM CurrentControlSetServices
LanmanWorkstationParametersRequireSecuritySignature

To configure server-side SMB message signing for Windows NT 4.0 post service pack 3, configure the value at the registry path 

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServer
ParametersRequireSecuritySignature

Windows NT 4.0 must be restarted for the configuration to be enabled.

Configure NTLM Session Security

Two Group Policy Security Options control NTLM Session security settings:

  • Network Security: Minimum session Security for NTLM SSP-based (including secure RPC) clients

  • Network Security: Minimum session Security for NTLM SSP-based (including secure RPC) servers

For each, four options are available:

  • Require message integrity

  • Require message confidentiality

  • Require NTLMv2 session security

  • Require 128-bit encryption

Click for the next excerpt in this series: Use IPSec Policies.

Click for book details or purchase the book.

This was first published in March 2005

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top