Use SMB message signing and session security for NTLM

Get a glimpse inside Roberta Bragg's book "Hardening Windows Systems" with this series of book excerpts. Below is the introductory excerpt from Chapter 11, "Harden Communications." Click for the complete book excerpt series or purchase the book.

Download this free guide

Download: Buyer's Guide to Windows Server 2016 in 2017

You may be due for an upgrade! Check out our full Windows Server 2016 Buyer's Guide to see if a switch to the new server would be the best move for your organization.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Use SMB Message Signing and Session Security for NTLM

Server Message Block (SMB) is the protocol used for file sharing and other communications between Windows computers. It is the basis for NetBIOS communications. SMB signing guarantees the origination of the communication. It is enabled by default on Windows Server 2003 computers but must be configured on the other Windows OSs. Once configured, SMB signing is negotiated during the connection request and systems that cannot use SMB signing may not be able to communicate with those that can. Two different types of configuration can be configured. First, and most effective, is to configure both server and client to always require SMB signing. Alternatively, signing can be established by mutual agreement.

NTLM Session security allows encryption (confidentiality) and integrity to be configured.

Configure Message Signing Using Group Policy

To configure SMB message signing in Windows Server 2003, Windows XP, and Windows 2000, use the following Group Policy options:

• Microsoft Network client: Digitally sign communications (always)


• Microsoft Network client: Digitally sign communications (if server agrees)


• Microsoft Network server: Digitally sign communications (always)


• Microsoft Network server: Digitally sign communications (if client agrees)

Configure Message Signing Using Registry Entries

To configure client-side SMB message signing in Windows NT 4.0 post service pack 3, and in Windows 95/98 computers running the Directory Services client, add the REG_DWORD registry value RequireSecuritySignature or EnableSecuritySignature and set the value to 1. To disable SMB signing, set the value to 0. The value location is the registry path

HKEY_LOCAL_MACHINESYSTEM CurrentControlSetServices
LanmanWorkstationParametersRequireSecuritySignature

To configure server-side SMB message signing for Windows NT 4.0 post service pack 3, configure the value at the registry path

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServer
ParametersRequireSecuritySignature

Windows NT 4.0 must be restarted for the configuration to be enabled.

Configure NTLM Session Security

Two Group Policy Security Options control NTLM Session security settings:

• Network Security: Minimum session Security for NTLM SSP-based (including secure RPC) clients


• Network Security: Minimum session Security for NTLM SSP-based (including secure RPC) servers

For each, four options are available:

• Require message integrity


• Require message confidentiality


• Require NTLMv2 session security


• Require 128-bit encryption

Click for the next excerpt in this series: Use IPSec Policies.