This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Access to this page requires authorization. You can trysigning in orchanging directories.
Access to this page requires authorization. You can trychanging directories.
This article describes Server Message Block (SMB) 2.x and 3.x signing, and how to determine whether SMB signing is required.
SMB signing (also known as security signatures) is a security mechanism in the SMB protocol. SMB signing means that every SMB message contains a signature that is generated by using the session key. The client puts a hash of the entire message into the signature field of the SMB header.
SMB signing first appeared in Microsoft Windows 2000, Microsoft Windows NT 4.0, and Microsoft Windows 98. Signing algorithms have evolved over time. SMB 2.02 signing was improved by the introduction of hash-based message authentication code (HMAC) SHA-256, replacing the old MD5 method from the late 1990s that was used in SMB1. SMB 3.0 added AES-CMAC algorithms. In Windows Server 2022 and Windows 11, we addedAES-128-GMAC signing acceleration. If you want the best performance and protection combination, consider upgrading to the latest Windows versions.
If someone changes a message during transmission, the hash won't match, and SMB will know that someone tampered with the data. The signature also confirms the sender's and receiver's identities. This prevents relay attacks. Ideally, you are using Kerberos instead of NTLMv2 so that your session key starts strong. Don't connect to shares by using IP addresses and don't use CNAME records, or you will use NTLM instead of Kerberos. Use Kerberos instead. SeeUsing Computer Name Aliases in place of DNS CNAME Records for more information.
The policies for SMB signing are located inComputer Configuration >Windows Settings >Security Settings >Local Policies >Security Options.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\ParametersHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\ParametersHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\ParametersHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\ParametersNote In these policies, "always" indicates that SMB signing is required, and "if server agrees" or "if client agrees" indicates that SMB signing is enabled.
TheEnableSecuritySignature registry setting for SMB2+ client and SMB2+ server is ignored. Therefore, this setting does nothing unless you're using SMB1. SMB 2.02 and later signing is controlled solely by being required or not. This setting is used when either the server or client requires SMB signing. Only if both have signing set to0 will signing not occur.
| - | Server – RequireSecuritySignature=1 | Server – RequireSecuritySignature=0 |
|---|---|---|
| Client – RequireSecuritySignature=1 | Signed | Signed |
| Client – RequireSecuritySignature=0 | Signed | Not signed |
Configure SMB Signing with Confidence
How to Defend Users from Interception Attacks via SMB Client Defense
SMB 2 and SMB 3 security in Windows 10: the anatomy of signing and cryptographic keys
Was this page helpful?
Need help with this topic?
Want to try using Ask Learn to clarify or guide you through this topic?
Was this page helpful?
Want to try using Ask Learn to clarify or guide you through this topic?