So what is SMB Signing all about?

Many SBS systems have SMB signing disabled, in order to resolve various problems, most notably slow file copying from a workstation to the server. You can read how to disable SMB signing at the M&M site here: http://www.smallbizserver.net/Default.aspx?tabid=139


Jeff Middleton recently posted the following excellent summary of SMB signing in the SBS2003  public newsgroup, and why it should not be considered a security risk:


I don’t think anyone is looking for an argument about this, but if someone is, just be prepared to debate both me and Mariette telling you that the sane thing to do in 99.99% of all SBS deployment scenarios is to disable all SMB Signing in the Default Domain Policy and the Default Domain Controller Policy.

There is no problem with Disabling SMB Signing entirely.

SMB Signing is not a required protocol function. It’s an authentication process which means that network packets are authenticated individually in addition to using application and protocol authentication for every transaction stream.

The analogy that I use is that we don’t require co-workers in a small business to wear badges, we don’t use locks on doors in the middle of hallways to secure room to room, we don’t post an armed guard in the lobby next to the receptionist. You probably don’t lock your office when you walk to the copy machine or take your coffee cup with you for fear of being poisoned while it’s unattended. These are all things that someone can say “hey, but if you don’t you are at risk of….whatever.” Even if you are a business that does all of those things, SMB Signing is still not necessarily improving upon a measurable risk when you compare it’s value to cost causing networking problems. Not just file access issues like what Mariette cited, I’m talking about silliness that just makes things not work right.

The relationship most people running SBS have with SMB Signing is that it causes them headaches, and isn’t preventing a plausible security breach. If you had to pay for SMB Signing, you wouldn’t.

You don’t lose functionality for having it disabled. You remove a level of complexity that isn’t related to functionality.

10 thoughts on “So what is SMB Signing all about?

  1. I leave it on and have no issues with speed. So only shut it off for older third party devices and don’t knee jerk shut it off because ‘oh the network is slow’. Check NIC speeds and other issues first.

    If it’s on…leave it on.

    If you need it off…turn it off.

    Just don’t screw it up getting it there.

    We may be small networks but I still think there is value in leaving on security features and functions when there is no need to turn them off just because you think it speeds up the network. Since XP sp2, this issue is no longer a valid statement.

  2. Slow database access to a server stored MDB file from the client’s VB.NET program drove us to removing SMB Signing. The performance improvement was dramatic! I’m with Jeff on this one. Turn it off to speed up your internal network.

  3. SMB Signing impacts various performance optimization products that can perform cifs and tcp proxies in the middle of a client and server connection.

    So, not only is there a client/server performance problem, but a tcp/cifs proxy problem. These proxies basically sit in the middle of the client and server and will handshake with a client separately and a server separately so that data throughput can increase over a slower link. Larger window sizes can be negotiated, cifs read aheads and write behinds for a session can be performed thus mitigating the need to keep sending the same repeating data over the link, and cifs file copies will fly by much quicker.

    When a connection is signed though, these proxies cannot detect the hash value since its encrypted then the session does not work.

    The only option is to disable it.

  4. if you want to use any of the wan optimizing products like CISCO WAAS / Riverbed steel head. then you lose a significant amount of improvement that could have happened by cifs proxs as well as dre (data redundancy elimination)

    hth

  5. Packeteer is a packet shaping product that is entirely different to WAAS and Steel head. I do know that Packeteer, while it’s not affected by SMB signing, does suffer from a reduced ability to optimise application flows because of it.

  6. Packeteer offers besides Packetshaper Ishared appliances as well as Ishaper appliances Since they are all windows R2 based proxies they support SMB signing and are therefore by far the fastest Wan Optimizers.

Leave a Reply to Brian Cancel reply

Your email address will not be published. Required fields are marked *