So what is SMB Signing all about?

Many SBS systems have SMB signing disabled, in order to resolve various problems, most notably slow file copying from a workstation to the server. You can read how to disable SMB signing at the M&M site here: http://www.smallbizserver.net/Default.aspx?tabid=139


Jeff Middleton recently posted the following excellent summary of SMB signing in the SBS2003  public newsgroup, and why it should not be considered a security risk:


I don’t think anyone is looking for an argument about this, but if someone is, just be prepared to debate both me and Mariette telling you that the sane thing to do in 99.99% of all SBS deployment scenarios is to disable all SMB Signing in the Default Domain Policy and the Default Domain Controller Policy.

There is no problem with Disabling SMB Signing entirely.

SMB Signing is not a required protocol function. It’s an authentication process which means that network packets are authenticated individually in addition to using application and protocol authentication for every transaction stream.

The analogy that I use is that we don’t require co-workers in a small business to wear badges, we don’t use locks on doors in the middle of hallways to secure room to room, we don’t post an armed guard in the lobby next to the receptionist. You probably don’t lock your office when you walk to the copy machine or take your coffee cup with you for fear of being poisoned while it’s unattended. These are all things that someone can say “hey, but if you don’t you are at risk of….whatever.” Even if you are a business that does all of those things, SMB Signing is still not necessarily improving upon a measurable risk when you compare it’s value to cost causing networking problems. Not just file access issues like what Mariette cited, I’m talking about silliness that just makes things not work right.

The relationship most people running SBS have with SMB Signing is that it causes them headaches, and isn’t preventing a plausible security breach. If you had to pay for SMB Signing, you wouldn’t.

You don’t lose functionality for having it disabled. You remove a level of complexity that isn’t related to functionality.