SMB Signing Disabled
Server Message Block (SMB) signing is a method to digitally sign SMB packets, allowing the recipient of the SMB packets to confirm their authenticity. Microsoft have a great write up here.
SMB signing is either not enabled or not required by default. This default configuration is a security risk because an adversary can conduct a man-in-the-middle attack to intercept these unsigned SMB packets; relaying them to the intended recipient, AKA ‘SMB Relay Attack’, as shown below.
Leveraging the previously blogged vulnerability ‘Disabling NetBIOS over TCP/IP and LLMNR‘, responder intercepts the Net-NTLM hashes and passes them to ntlmrelay.py which performs the MiTM SMB relay attack.
Are You Vulnerable?
If you’re reading this, it’s likely that it’s been identified during a penetration test or a vulnerability scan. You can confirm the finding yourself using nmap with the following syntax:
nmap -sSVC -p 445 <IP ADDRESS HERE>
Which should produce similar results to the screenshot below.
Enabling SMB Signing
Edit the domain Group Policy to enforce SMB signing by making the following adjustments to the Group Policy:
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
- Microsoft network server: Digitally sign communications (always)
- Microsoft network server: Digitally sign communications (if client agrees)
- Microsoft network client: Digitally sign communications (always)
- Microsoft network client: Digitally sign communications (if client agrees)
Whilst you’re at it
- Microsoft network client: Send unencrypted password to third-party SMB servers (disabled)
- Microsoft network server: Server SPN target name validation level (Accept if provided by client)
- Network Security: LAN Manager authentication level (Send NTMLv2 response only. Refuse LM & NTLM)
- Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers (Audit all)
Finally to push the GP changes open up cmd or Powershell and type:
**Please remember to test these changes in a dev environment before pushing live**