Nessus Output

Description

Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to conduct man-in-the-middle attacks against the SMB server.

Solution

Enforce message signing in the host’s configuration. On Windows, this is found in the policy setting ‘Microsoft network server: Digitally sign communications (always)’. On Samba, the setting is called ‘server signing’. See the ‘see also’ links for further details.

See Also

https://support.microsoft.com/en-us/kb/887429

http://technet.microsoft.com/en-us/library/cc731957.aspx

http://www.nessus.org/u?74b80723

http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html

http://www.nessus.org/u?a3cac4ea

Fix for Windows

Configure the Group Policy  ‘Microsoft network server: Digitally sign communications (always)’ to ‘Enabled’

Or run the following command to change the registy key:

REG ADD "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /f /v "requiresecuritysignature"  /t REG_DWORD /d 0x1

Or via Powershell

set-SmbServerConfiguration -RequireSecuritySignature $TRUE -force

Verify

You can verify the setting via Powershell:

Get-SmbServerConfiguration | select RequireSecuritySignature

References

• Client, service, and program issues can occur if you change security settings and user rights assignments