Exceptions to the rule - When you may WANT to turn off SMB message signing

  • Article

Being a security guy I see the world in black and white. People are either good or bad. Technical security means are either secure or not. We are either underpaid, or we are in marketing.

No, seriously, nothing is that black and white. Take SMB Message Signing for instance. Obviously it provides some serious security value, if you are subject to man in the middle attacks on your SMB network, have potentially hostile people luring you to go to malicious SMB servers (and haven't patched your systems for a while). Requiring SMB message signing on your clients is an absolute must if you have not installed XP SP2 yet, and you can't block outbound SMB from your network. At the same time, SMB message signing may sink performance into the toilet. When you turn on SMB message signing transfers get serialized. Packet 1 must arrive and be acknowledged before packet 2 gets sent, and so on.

By default, SMB Message Signing is done only between clients and DCs by default. That is fine in most situations. DCs are not very big file servers. Sure, they serve group policy files, but those are tiny in the scheme of things. There are exceptions though, and one the Small Business Server crowd is intimately familar with. SBS servers are DCs, and file servers, and print servers, and application servers, and web servers, and they probably make toast, change your oil, and book complicated airline tickets for you too. If you use an SBS server as a massive file server, you may want to consider turning off SMB message signing. In playing with this tonight I found transfer times on a large (5.5GB) file transfer go from 54 minutes with SMB message signing turned on to 22 minutes without. There are absolutely situations where it is worth turning it off. The SBS community has known this for a while: https://www.smallbizserver.net/Default.aspx?tabid=139.

What is the risk in doing so? Well, you would open yourself up to man-in-the-middle attacks, replayed SMB messages, and a host of other evil - many of which may be as likely in a small business as finding front office personnel that claim they are actually computer experts! Don't get me wrong. SMB message signing is general security goodness. However, if you have to use your DC as a file server, and you have a very low likelihood of having people inside your network use man in the middle tricks, then the mitigation may be worse than the risk. This is just one more situation where one size security does not fit all.

That is the measure of when you should turn off the security - when the mitigation is more painful than the risk you are trying to mitigate.