Use SMB message signing and session security for NTLM

Get a glimpse inside Roberta Bragg's book "Hardening Windows Systems" with this series of book excerpts. Below is the introductory excerpt from Chapter 11, "Harden Communications." Click for the complete book excerpt series or purchase the book.

Use SMB Message Signing and Session Security for NTLM

Server Message Block (SMB) is the protocol used for file sharing and other communications between Windows computers. It is the basis for NetBIOS communications. SMB signing guarantees the origination of the communication. It is enabled by default on Windows Server 2003 computers but must be configured on the other Windows OSs. Once configured, SMB signing is negotiated during the connection request and systems that cannot use SMB signing may not be able to communicate with those that can. Two different types of configuration can be configured. First, and most effective, is to configure both server and client to always require SMB signing. Alternatively, signing can be established by mutual agreement.

NTLM Session security allows encryption (confidentiality) and integrity to be configured.

Configure Message Signing Using Group Policy

To configure SMB message signing in Windows Server 2003, Windows XP, and Windows 2000, use the following Group Policy options:

• Microsoft Network client: Digitally sign communications (always)


• Microsoft Network client: Digitally sign communications (if server agrees)


• Microsoft Network server: Digitally sign communications (always)


• Microsoft Network server: Digitally sign communications (if client agrees)

Configure Message Signing Using Registry Entries

To configure client-side SMB message signing in Windows NT 4.0 post service pack 3, and in Windows 95/98 computers running the Directory Services client, add the REG_DWORD registry value RequireSecuritySignature or EnableSecuritySignature and set the value to 1. To disable SMB signing, set the value to 0. The value location is the registry path

HKEY_LOCAL_MACHINESYSTEM CurrentControlSetServices
LanmanWorkstationParametersRequireSecuritySignature

To configure server-side SMB message signing for Windows NT 4.0 post service pack 3, configure the value at the registry path

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServer
ParametersRequireSecuritySignature

Windows NT 4.0 must be restarted for the configuration to be enabled.

Configure NTLM Session Security

Two Group Policy Security Options control NTLM Session security settings:

• Network Security: Minimum session Security for NTLM SSP-based (including secure RPC) clients


• Network Security: Minimum session Security for NTLM SSP-based (including secure RPC) servers

For each, four options are available:

• Require message integrity


• Require message confidentiality


• Require NTLMv2 session security


• Require 128-bit encryption

Click for the next excerpt in this series: Use IPSec Policies.