UCF STIG Viewer Logo

The Windows SMB server must perform SMB packet signing when possible.


Overview

Finding ID Version Rule ID IA Controls Severity
V-1162 WN12-SO-000033 SV-52870r2_rule Medium
Description
The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will negotiate SMB packet signing as requested by the client.
STIG Date
Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide 2020-06-16

Details

Check Text ( C-47187r2_chk )
If the following registry value does not exist or is not configured as specified, this is a finding:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\

Value Name: EnableSecuritySignature

Value Type: REG_DWORD
Value: 1
Fix Text (F-45796r1_fix)
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network server: Digitally sign communications (if client agrees)" to "Enabled".