Default configuration for the Workstation service and the Server service



Similar documents
How to troubleshoot MS DTC firewall issues

Next-Gen Monitoring of Active Directory. Click to edit Master title style

How To Install A New Database On A 2008 R2 System With A New Version Of Aql Server 2008 R 2 On A Windows Xp Server 2008 (Windows) R2 (Windows Xp) (Windows 8) (Powerpoint) (Mysql

TestElite - Troubleshooting

KB Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool Is Available

ms-help://ms.technet.2005mar.1033/security/tnoffline/security/smbiz/winxp/fwgrppol...

Installation and Connection Guide to the simulation environment GLOBAL VISION

Audit account logon events

Exploiting Transparent User Identification Systems

Windows Clients and GoPrint Print Queues

How to install Small Business Server 2003 in an existing Active

For computers that are running Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP, or Windows Vista

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

TrueEdit Remote Connection Brief

NNT CIS Microsoft Windows Server 2008 R2 Benchmark Level 1 Member Server v

Integration with Active Directory

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

Network Load Balancing

TECHNICAL TRACKSNETWORKING ESSENTIALS OPPORTUNISTIC LOCKING

SQL EXPRESS INSTALLATION...

Enterprise Server Setup Guide

Installation Guide for Microsoft SQL Server 2008 R2 Express. October 2011 (GUIDE 1)

Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac

Meeting CJIS Advanced Authentication

Hosted Microsoft Exchange Client Setup & Guide Book

Customer Tips. Basic Configuration and Troubleshooting. for the user. Overview. Basic Configuration. Xerox Multifunction Devices.

Install SQL Server 2014 Express Edition

EMC VNX Series: Introduction to SMB 3.0 Support

AdminToys Suite. Installation & Setup Guide

Troubleshooting File and Printer Sharing in Microsoft Windows XP

Configuration of Microsoft Time Server

MAPILab Search for Exchange. Administrator s Guide. Version 1.3

ilaw Installation Procedure

Step-by-Step Guide for Setting Up IPv6 in a Test Lab

Cisco SSL Encryption Utility

How to speed up IDENTIKEY DNS lookup of the Windows Logon DAWL client on Windows 7?

DB Administration COMOS. Platform DB Administration. Trademarks 1. Prerequisites. MS SQL Server 2005/ Oracle. Operating Manual 09/2011

Hands-On Microsoft Windows Server 2008

TECHNICAL SUPPORT GUIDE

Setting Up Scan to SMB on TaskALFA series MFP s.

KB Windows 2000 DNS Event Messages 1 Through 1614

PROTECTING DATA IN TRANSIT WITH ENCRYPTION IN M-FILES

Symantec Event Collector 4.3 for Microsoft Windows Quick Reference

Installation Troubleshooting Guide

Securing Remote Desktop Services in Windows Server 2008

Wireless Network Configuration Guide

Basic Exchange Setup Guide

Wharf T&T Cloud Backup Service User & Installation Guide

ACTi NVR Config Converter User s Manual. Version /06/07

Migrating MSDE to Microsoft SQL 2008 R2 Express

4cast Client Specification and Installation

INFUSION BUSINESS SOFTWARE Installation and Upgrade Guide

Buffalo Technology: Migrating your data to Windows Storage Server 2012 R2

Introduction. Before you begin. Installing efax from our CD-ROM. Installing efax after downloading from the internet

NETASQ SSO Agent Installation and deployment

View Agent Direct-Connection Plug-In Administration

Tutorial: How to Use SQL Server Management Studio from Home

Test Note Phone Manager Deployment Windows Group Policy Sever 2003 and XP SPII Clients

F-SECURE MESSAGING SECURITY GATEWAY

Scan to SMB(PC) Set up Guide

SQL Server 2008 R2 Express Installation for Windows 7 Professional, Vista Business Edition and XP Professional.

How to Install and Setup IIS Server

Configuring Single Sign-On for Application Launch in OpenManage Essentials

Deployment of Keepit for Windows

Device Log Export ENGLISH

LANDPARK NETWORK IP Landpark, comprehensive IT Asset Tracking and ITIL Help Desk solutions October 2016

Sage Grant Management System Requirements

SQL Backup and Restore using CDP

Installation Instruction STATISTICA Enterprise Small Business

SQL Server 2008 R2 Express Edition Installation Guide

SOLARWINDS ORION. Patch Manager Administrator Guide

DCOM Setup. User Manual

Avatier Identity Management Suite

PrivateWire Gateway Load Balancing and High Availability using Microsoft SQL Server Replication

To install the SMTP service:

Q&A. DEMO Version

STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

GE Healthcare Life Sciences UNICORN Administration and Technical Manual

Federated Identity Service Certificate Download Requirements

Remote Management System

Mail Attender Version

Connecticut Justice Information System Security Compliance Assessment Form

Centralized Auditing in Windows Derek Melber

Installation for WEB Server Windows 2003

Setting Up SSL on IIS6 for MEGA Advisor

DCOM settings for computer-to-computer communication between OPC servers and OPC clients

Optimization in a Secure Windows Environment

Installation and Deployment

Microsoft Corporation. Status: Preliminary documentation

Installing Kaspersky Security Center 10.0 on Microsoft Windows Server 2012 Core Mode

ing from The E2 Shop System address Server Name Server Port, Encryption Protocol, Encryption Type, SMTP User ID SMTP Password

AXIS 70U - Using Scan-to-File

Integrated Virtual Debugger for Visual Studio Developer s Guide VMware Workstation 8.0

Contents 1. Introduction 2. Security Considerations 3. Installation 4. Configuration 5. Uninstallation 6. Automated Bulk Enrollment 7.

Networking Best Practices Guide. Version 6.5

Resolving network file speed & lockup problems

Acronis Backup & Recovery 10 Server for Windows. Installation Guide

Transcription:

Article ID: 887429 - Last Review: November 30, 2007 - Revision: 2.4 Overview of Message Block signing INTRODUCTION This article describes Message Block (SMB) signing. SMB signing is a security mechanism in the SMB protocol and is also known as security signatures. SMB signing is designed to help improve the security of the SMB protocol. SMB signing was first available in Microsoft Windows NT 4.0 Service Pack 3 (SP3) and Microsoft Windows 98. The following SMB topics are described in this article: The default configuration of SMB signing. How to configure SMB signing in Microsoft Windows 2003, Microsoft Windows XP, Microsoft Windows 2000, Windows NT 4.0, and Windows 98. How to determine whether SMB signing is enabled in a Network Monitor trace. Example SMB signing scenarios. MORE INFORMATION Default configuration for the Workstation service and the service SMB signing and security signatures can be configured for the Workstation service and for the service. The Workstation service is used for outgoing connections. The service is used for incoming connections. When SMB signing is enabled, it is possible for clients that support SMB signing to connect and it is also possible for clients that do not support SMB signing to connect. When SMB signing is required, both computers in the SMB connection must support SMB signing. The SMB connection is not successful if one computer does not support SMB signing. By default, SMB signing is enabled for outgoing SMB sessions on the following operating systems: Windows 2003 Windows XP Windows 2000 Windows NT 4.0 Windows 98 By default, SMB signing is enabled for incoming SMB sessions on the following operating systems: Windows 2003-based domain controllers Windows 2000 -based domain controllers Windows NT 4.0 -based domain controllers By default, SMB signing is required for incoming SMB sessions on Windows 2003-based domain controllers. Configuring SMB signing We recommend that you use Group Policies to configure SMB signing because a local registry value change does not function correctly if there is an overriding domain policy. The following registry values are changed when the associated Group Policy is configured. Policy locations for SMB signing Note The following Group Policy settings are located in the "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options" Group Policy Object Editor path. Windows 2003 - default domain controllers Group Policy

Microsoft network client: Digitally sign communications (always) Policy Setting: not defined Microsoft network client: Digitally sign communications (if server agrees) Policy Setting: not defined Effective Setting: enabled (because of local policy) Microsoft network server: Digitally sign communications (always) Policy Setting: enabled Microsoft network server: Digitally sign communications (if client agrees) Policy Setting: enabled Windows XP and 2003 - local computer Group Policy Microsoft network client: Digitally sign communications (always) Security Setting: disabled Microsoft network client: Digitally sign communications (if server agrees) Security Setting: enabled Microsoft network server: Digitally sign communications (always) Security Setting: disabled Microsoft network server: Digitally sign communications (if client agrees) Security Setting: disabled Windows 2000 - default domain controllers Group Policy Digitally sign client communication (always) Computer Setting: not defined Digitally sign client communication (when possible) Computer Setting: not defined Digitally sign server communication (always) Computer Setting: not defined Digitally sign server communication (when possible) Computer Setting: enabled Windows 2000 - local computer Group Policy Digitally sign client communication (always) Local Setting: Disabled Effective Setting: disabled Digitally sign client communication (when possible) Local Setting: Enabled Effective Setting: enabled Digitally sign server communication (always) Local Setting: Disabled Effective Setting: disabled Digitally sign server communication (when possible) Local Setting: Disabled Effective Setting: disabled Registry values associated with Group Policy configuration for Windows 2003, Windows XP, and Windows 2000 Client In Windows 2003 and Windows XP, the "Microsoft network client: Digitally sign communications (if server agrees)" Group Policy, and in Windows 2000, the "Digitally sign client communication (when possible)" Group Policy map to the following registry subkey: \Parameters HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation Note The default value in Windows 2003, Windows XP, and Windows 2000 is 1 (enabled). In Windows 2003 and Windows XP, the "Microsoft network client: Digitally sign communications (always)" Group Policy, and in Windows 2000, the "Digitally sign client communication (always)" Group Policy map to the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters Note The default value in Windows 2003, Windows XP, and Windows 2000 is 0 (not required).

In Windows 2003 and Windows XP, the Group Policy named "Microsoft network client: Digitally sign communications (if client agrees)", and in Windows 2000, the Group Policy named "Digitally sign server communication (when possible)" map to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \LanMan\Parameters Note The default value in Windows 2003 domain controllers and Windows 2000 domain controllers is 1 (enabled). The default value in Windows NT 4.0 domain controllers is 0 (disabled). Windows 2003 and Windows XP policy is named "Microsoft network server: Digitally sign communications (always)" Windows 2000 policy is named "Digitally sign server communication (always)" and both map to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanMan\Parameters Note The default value in Windows 2003 domain controllers and Windows 2000 domain controllers is 1 (required). The default value in Windows NT 4.0 domain controllers is 0 (not required). For Windows NT 4.0-based computers to be able to connect to Windows 2000-based computers by using SMB signing, you must create the following registry value on the Windows 2000-based computers: Value Name: enablew9xsecuritysignature Note There is no Group Policy associated with the EnableW9xsecuritysignature registry value. Configuring SMB signing in Windows NT 4.0 Digitally sign client: (Notice that this is the RDR key - not LanmanWorkstation as in Windows 2000) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters Note The default value is 1 (enabled) on computers that are running Windows NT 4.0 SP3 or later versions of Windows. Note The default value is 0 (not required) on computers that are running Windows NT 4.0 SP3 or later versions of Windows. "Digitally sign server" in the policy maps to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanMan\Parameters Note The default value is 1 (enabled) on Windows 2003 domain controllers, Windows 2000 domain controllers, and Windows NT 4.0 domain controllers. The default value for all other computers that are running Windows NT 4.0 SP3 or later versions of Windows is 0 (disabled).

Note The default value is 1 (required) on Windows 2003 domain controllers. The default value for all other computers that are running Windows NT 4.0 SP3 or later versions of Windows is 0 (not required). For additional information, click the following article number to view the article in the Microsoft Knowledge Base: 161372 (http://support.microsoft.com/kb/161372/ ) How to Enable SMB signing in Windows NT Configuring SMB signing in Windows 98 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VxD\VNetsup to this registry subkey: Add the following two registry values Note The default value in Windows 98 is 1 (enable). Note The default value in Windows 98 is 0 (disabled). How to determine whether SMB signing is enabled in a network monitor trace To determine whether SMB signing is enabled, required at the server, or both, view the Negotiate Dialect Response from the server: SMB: R negotiate, Dialect # = 5 SMB: Command = R negotiate SMB: Security Mode Summary (NT) = [a value of 3, 7 or 15] SMB:...1 = User level security SMB:...1. = Encrypt passwords In this Response the "Security Mode Summary (NT) =" field represents the configured options on the. This value will be either 3, 7 or 15. For additional information about how to use Network Monitor, click the following article number to view the article in the Microsoft Knowledge Base: 812953 (http://support.microsoft.com/kb/812953/ ) How to use Network Monitor to capture network traffic The following information helps explain what the Negotiate Dialect Response numbers represent: UCHAR SecurityMode; Security mode: bit 0: 0 = share bit 0: 1 = user bit 1: 1 = encrypt passwords bit 2: 1 = Security Signatures (SMB sequence numbers) enabled bit 3: 1 = Security Signatures (SMB sequence numbers) required If SMB signing is disabled at the server, the value is 3. "SMB: Security Mode Summary (NT) = 3 (0x3)" If SMB signing is enabled and not required at the server, the value is 7. "SMB: Security Mode Summary (NT) = 7 (0x7)" If SMB signing is enabled and required at the server, the value is 15. "SMB: Security Mode Summary (NT) = 15 (0xF)" For additional information about CIFS, visit the following Microsoft Web site: http://msdn2.microsoft.com/en-us/library/aa302188.aspx (http://msdn2.microsoft.com/en-us/library /Aa302188.aspx) SMB signing scenarios The behavior of the SMB session after the Dialect Negotiation shows the client

configuration. If SMB Signing is enabled and required at both the client and the server, or if SMB signing is disabled at both the client and the server, the connection is successful. If SMB signing is enabled and required at the client and disabled at the server, the connection to the TCP session is gracefully closed after the Dialect Negotiation, and the client receives the following "1240 (ERROR_LOGIN_WKSTA_RESTRICTION)" error message: System error 1240 has occurred. The account is not authorized to log in from this station. If SMB signing is disabled at the client and enabled and required at the server, the client receives the "STATUS_ACCESS_DENIED" error message when it receives a response to a Tree Connect or Transact2 for DFS referrals. APPLIES TO Microsoft Windows 2003, Standard Edition (32-bit x86) Microsoft Windows 2003, Enterprise Edition (32-bit x86) Microsoft Windows XP Professional Microsoft Windows XP Home Edition Microsoft Windows 2000 Microsoft Windows 2000 Advanced Microsoft Windows NT 4.0 Standard Edition Microsoft Windows 98 Standard Edition Microsoft Windows 98 Second Edition Keywords: kbwinservnetwork kbsecurityservices kbhowto kbinfo KB887429 Get Help Now Contact a support professional by E-mail, Online, or Phone Microsoft Support 2009 Microsoft

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information