SMB Signing Disabled (Windows)

Nessus Output


Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to conduct man-in-the-middle attacks against the SMB server.


Enforce message signing in the host’s configuration. On Windows, this is found in the policy setting ‘Microsoft network server: Digitally sign communications (always)’. On Samba, the setting is called ‘server signing’. See the ‘see also’ links for further details.

See Also

Fix for Windows

Configure the Group Policy  ‘Microsoft network server: Digitally sign communications (always)’ to ‘Enabled’


Or run the following command to change the registy key:

REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /f /v "requiresecuritysignature"  /t REG_DWORD /d 0x1

Or via Powershell

set-SmbServerConfiguration -RequireSecuritySignature $TRUE -force


You can verify the setting via Powershell:

Get-SmbServerConfiguration | select RequireSecuritySignature