Murad Talukdar | 3 May 09:31 2005

To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers

Hi All,
We have had arrival of new scanner/printer/copier in office. It uses SMB to
scan files to shared folders on our W2003 network. In order for it to work
however, I have had to do the following;

1. From Administrative Tools open Domain Controller Security Policy 2. Smile
3. Select \Security Settings\Local Policies\Security Options folder. 4. In
the details pane, double-click Microsoft network server: Digitally sign
communications (always), and then click Disabled to prevent SMB packet
signing from being required. 5. Click OK. 6. In the details pane,
double-click Domain member: Digitally encrypt or sign secure channel data
(always), and then click Disabled to prevent secure channel signing from
being required. 7. Click OK.

Before that, the scan would fail to be sent to the server in question.
What are the implications of this--given that we do not ostensibly use SMB
for anything else.
I've heard scare stories of SMB man in the middle attacks and was under the
impression that this is what these specific security settings were
pertaining to but am not sure.

There are other options for the scanning ie ftp/email but neither would work
as we cannot get approval for cost of ftp server nor can the email system
take the file sizes that are often req'd by scans our users make.

I can see there will be advice against having shared user folders etc on
DC's too but the big boss wants more from less if you see what I mean.

Kind Regards
Murad Talukdar
(Continue reading)

Soluk, Kirk | 3 May 22:09 2005
Picon

RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers

If you disable the SMB signing requirement it means that all your SMB
based DC to member communications will be subject to MITM attacks.  The
primary concern here is your group policy download.  In short, the SMB
signing requirement provides the assurance that your group policies do
not get tampered with in transit. Similarly, disabling the secure
channel encryption\signing requirement means that you have no guarantees
on all your DC to DC secure channel data (although sensitive information
within the secure channel session (e.g. password derived data) will
always be encrypted.

It makes absolutely no sense to me how an app could be forcing this
issue unless it's really old or running on a SAMBA machine.  Is that the
case?

I would push back hard on this. You do not want to take this step
backward.  You have to be running some pretty old or insecure stuff to
have to disable these settings - SMB signing was introduced in NT4
Service Pack 3!

Kirk Soluk
University of Michigan
Information Technology Security Services

-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m <at> subway.com] 
Sent: Tuesday, May 03, 2005 3:32 AM
To: focus-ms <at> securityfocus.com
Subject: To disable SMB packet and secure channel signing enforcement on
Windows Server 2003-based domain controllers

(Continue reading)

Laura A. Robinson | 3 May 22:18 2005
Picon

RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers

The implications of what you've changed is pretty much what you've thought
they are. One thing, however- you *are* using SMB. SMB is not NetBIOS (a lot
of people tend to think that if they disable NetBIOS, they're disabling SMB,
and that's not the case); it is what is used to establish "name-based"
sessions between machines. Basically, nearly any TCP session between
Winboxen is also an SMB session. 

So, at the very least, if you can set the SMB packet signing options to
"when possible" (or whatever it says; I'm thinking off the top of my head
and said head is achy right now), then your Windows machines can still
utilize SMB signing but your scanner/printer/copier can still work.
Alternately, contact the vendor of the device to find out if the machine can
be configured to do SMB signing. Finally, no, it's not the end of the world
if you can't use SMB signing. It's just one of the options available to you
to harden your environment. With that said, the fact that you have shares on
your DCs would make me want to lean towards being more conservative and
utilizing SMB signing if at all possible.

My pennies,

Laura

> -----Original Message-----
> From: Murad Talukdar [mailto:talukdar_m <at> subway.com] 
> Sent: Tuesday, May 03, 2005 3:32 AM
> To: focus-ms <at> securityfocus.com
> Subject: To disable SMB packet and secure channel signing 
> enforcement on Windows Server 2003-based domain controllers
> 
> Hi All,
(Continue reading)

Serge Jorgensen | 3 May 21:43 2005

RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers

Murad,

Why not just share a folder on the local user's workstation? That
doesn't require the changes on the DC, and you can always sync the
folders back to the DC if you need some backup.

R/
 Serge 

-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m <at> subway.com] 
Sent: Tuesday, May 03, 2005 3:32 AM
To: focus-ms <at> securityfocus.com
Subject: To disable SMB packet and secure channel signing enforcement on
Windows Server 2003-based domain controllers

Hi All,
We have had arrival of new scanner/printer/copier in office. It uses SMB
to scan files to shared folders on our W2003 network. In order for it to
work however, I have had to do the following;

1. From Administrative Tools open Domain Controller Security Policy 2.
Smile 3. Select \Security Settings\Local Policies\Security Options
folder. 4. In the details pane, double-click Microsoft network server:
Digitally sign communications (always), and then click Disabled to
prevent SMB packet signing from being required. 5. Click OK. 6. In the
details pane, double-click Domain member: Digitally encrypt or sign
secure channel data (always), and then click Disabled to prevent secure
channel signing from being required. 7. Click OK.

(Continue reading)

Langston, Fred | 4 May 00:19 2005
Picon

RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers

I've done a lot of security assessments on Multi-Function Devices (MFDs)
and every one I've seen uses embedded Linux with SAMBA.  Hence, then
need for security assessments ;-)

Fred Langston, CISSP
Principal Consultant
VeriSign, Inc.  Global Security Consulting
M: 425.765.3330 O: 206.903.8147 x223

-----Original Message-----
From: Soluk, Kirk [mailto:kmsoluk <at> umich.edu] 
Sent: Tuesday, May 03, 2005 1:09 PM
To: Murad Talukdar; focus-ms <at> securityfocus.com
Subject: RE: To disable SMB packet and secure channel signing
enforcement on Windows Server 2003-based domain controllers

If you disable the SMB signing requirement it means that all your SMB
based DC to member communications will be subject to MITM attacks.  The
primary concern here is your group policy download.  In short, the SMB
signing requirement provides the assurance that your group policies do
not get tampered with in transit. Similarly, disabling the secure
channel encryption\signing requirement means that you have no guarantees
on all your DC to DC secure channel data (although sensitive information
within the secure channel session (e.g. password derived data) will
always be encrypted.

It makes absolutely no sense to me how an app could be forcing this
issue unless it's really old or running on a SAMBA machine.  Is that the
case?

(Continue reading)

Picon

Re: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers

That's not necessarily true... some of the brand spanking new 
printers/copiers scanners do indeed not support his.

Soluk, Kirk wrote:

>If you disable the SMB signing requirement it means that all your SMB
>based DC to member communications will be subject to MITM attacks.  The
>primary concern here is your group policy download.  In short, the SMB
>signing requirement provides the assurance that your group policies do
>not get tampered with in transit. Similarly, disabling the secure
>channel encryption\signing requirement means that you have no guarantees
>on all your DC to DC secure channel data (although sensitive information
>within the secure channel session (e.g. password derived data) will
>always be encrypted.
>
>It makes absolutely no sense to me how an app could be forcing this
>issue unless it's really old or running on a SAMBA machine.  Is that the
>case?
>
>I would push back hard on this. You do not want to take this step
>backward.  You have to be running some pretty old or insecure stuff to
>have to disable these settings - SMB signing was introduced in NT4
>Service Pack 3!
>
>Kirk Soluk
>University of Michigan
>Information Technology Security Services
>
>-----Original Message-----
>From: Murad Talukdar [mailto:talukdar_m <at> subway.com] 
(Continue reading)

David LeBlanc | 4 May 00:57 2005
Picon

RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers

I replied privately to Murad, but something I'd like to add - 

Some copiers do run on OS/2 and Linux (though IIRC, samba has been able to
do signing for a while), so that's probably a good guess.

As you point out, the attacks enabled by turning down security are severe,
but if they're in a situation where you're using a DC as a file server, then
it's probably a very small org. I'd venture that the chances of anyone
popping up on the network who can launch these attacks are slim, and if a
hacker does get in, this is unlikely to be the weakest link.

I wouldn't push back hard right now - I'd try and get a dedicated file
server ASAP. I'd also want to be sure I had all my other bases covered -
routine checks for bad passwords, and so on. The problem is that you're not
going to win this one now. They already have the copier - if this was caught
pre-purchase, you might be able to win it. An arcane security problem that's
hard to explain which has a number of preconditions is a losing proposition
when going up against the boss' shiny new toy.

One work-around that can be done right away would be to use FTP - all
Windows servers have a FTP server that can be installed and this would seem
to be a relatively low-risk option if the files are pushed out without
authentication. If they use passwords, then FTP is a big step backwards.

*****************************
My opinion, and should not be construed as a statement on behalf of my
employer.
*****************************

> -----Original Message-----
(Continue reading)

vic brown | 4 May 01:11 2005
Picon

Re: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers

A stand along repository box might not be a bad solution (win32 or
samba).  The application is ASSuming that you want store the files in
your domain controller.  I'm sure there is a way for you to say
something like \\anybox\repository.  This way security is not scaled
down.  No cost for an ftp server? (Linux box w/vsftpd, or win32 with
filezilla ftpd).  How expensive is that?

Murad Talukdar wrote:
> Hi All,
> We have had arrival of new scanner/printer/copier in office. It uses SMB to
> scan files to shared folders on our W2003 network. In order for it to work
> however, I have had to do the following;
> 
> 1. From Administrative Tools open Domain Controller Security Policy 2. Smile
> 3. Select \Security Settings\Local Policies\Security Options folder. 4. In
> the details pane, double-click Microsoft network server: Digitally sign
> communications (always), and then click Disabled to prevent SMB packet
> signing from being required. 5. Click OK. 6. In the details pane,
> double-click Domain member: Digitally encrypt or sign secure channel data
> (always), and then click Disabled to prevent secure channel signing from
> being required. 7. Click OK.
> 
> Before that, the scan would fail to be sent to the server in question.
> What are the implications of this--given that we do not ostensibly use SMB
> for anything else.
> I've heard scare stories of SMB man in the middle attacks and was under the
> impression that this is what these specific security settings were
> pertaining to but am not sure.
> 
> There are other options for the scanning ie ftp/email but neither would work
(Continue reading)

Murad Talukdar | 4 May 01:31 2005

RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers

Thanks for the great replies--I had a hunch that the hole opened up is
precisely why W2003 comes set as it does as a default.
What I will do is:
1. Enquire with the vendor whether the machine can be set to sign(It's a
rebranded Ricoh machine)
2. Look into the ftp suggestion-this seems much more 'secure' at this point
and I did know that ftp could be enabled on a W2003 machine but this
particular DC is doing more tasks than I think it should but it will take a
while before we get approval for another box. (Can you believe that the man
at the top of an international company has to give approval for anything
higher than $1000 dollars?)
3. Serge's idea for the local folders is a good one too--but we do have a
lot of roaming so will need to figure that one out if this is the path to
use.
4. Take a deep breath.
5. see if I can find the setting that Laura mentioned. ('whenever possible')

Murad

-----Original Message-----
From: David LeBlanc [mailto:dleblanc <at> mindspring.com] 
Sent: Wednesday, May 04, 2005 8:58 AM
To: 'Soluk, Kirk'; 'Murad Talukdar'; focus-ms <at> securityfocus.com
Subject: RE: To disable SMB packet and secure channel signing enforcement on
Windows Server 2003-based domain controllers

I replied privately to Murad, but something I'd like to add - 

Some copiers do run on OS/2 and Linux (though IIRC, samba has been able to
do signing for a while), so that's probably a good guess.
(Continue reading)

Richard J. Pollock, Jr. | 4 May 02:12 2005

RE: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers

Does this relate in any way to the Samba authentication with Windows
2003SP1? I'm still having trouble getting my samba machines authenticating
users. I even installed the latest versions of Samba (14a and 15pre).

Rick

-----Original Message-----
From: Serge Jorgensen [mailto:sjorgensen <at> usinfosec.com] 
Sent: Tuesday, May 03, 2005 3:44 PM
To: Murad Talukdar; focus-ms <at> securityfocus.com
Subject: RE: To disable SMB packet and secure channel signing enforcement on
Windows Server 2003-based domain controllers

Murad,

Why not just share a folder on the local user's workstation? That
doesn't require the changes on the DC, and you can always sync the
folders back to the DC if you need some backup.

R/
 Serge 

-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m <at> subway.com] 
Sent: Tuesday, May 03, 2005 3:32 AM
To: focus-ms <at> securityfocus.com
Subject: To disable SMB packet and secure channel signing enforcement on
Windows Server 2003-based domain controllers

Hi All,
(Continue reading)


Gmane