SMB security - server signing

P

Paul042020

Contributor
Joined
May 4, 2020
Messages
119
Hello,
On this page of the Truenas documentation about security optimizations (https://www.truenas.com/docs/solutions/optimizations/security/#smb), it is written :
SMB Server Signing is recommended. To enable Server Signing, go to Services > SMB > Edit > Auxiliary Parameters and add this string to the Auxilary Parameters field:
server signing = mandatory
Click to expand...

If it is recommended, why is it not a default setting ?
Do you think it is a good thing to add this setting if I access my personal data through a VPN ?

Regards
 
Last edited:
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Paul042020 said:
Hello,
On this page of the Truenas documentation about security optimizations (https://www.truenas.com/docs/solutions/optimizations/security/#smb), it is written :


If it is recommended, why is it not a default setting ?
Do you think it is a good thing to add this setting if I access my personal data through a VPN ?

Regards
Click to expand...

I've raised an issue with our documentation team. Signing is non-optional for SMB2/3 protocol. That aux param is not needed and provides basically zero benefit (except possibly in case where SMB1 is used -- that's debatable because SMB1 usage itself is actively discouraged).
 
P

Paul042020

Contributor
Joined
May 4, 2020
Messages
119
Hello and thank you for your quick response

If I understand your answer: there is already a signature for the SMB2 and 3 protocol, which makes adding this parameter unnecessary.
Is it really that ?

If this is the case, the documentation is indeed confusing
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Paul042020 said:
Hello and thank you for your quick response

If I understand your answer: there is already a signature for the SMB2 and 3 protocol, which makes adding this parameter unnecessary.
Is it really that ?

If this is the case, the documentation is indeed confusing
Click to expand...
For the SMB2 protocol, by design, signing cannot be disabled. In the case where SMB2 is negotiated, if this parameter is set to disabled, it will be treated as auto. Setting it to mandatory will still require SMB2 clients to use signing.
Click to expand...


As I mentioned that documentation is getting fixed.
 
P

Paul042020

Contributor
Joined
May 4, 2020
Messages
119
ok thank you.
I remove this parameter
 
P

paulpop

Cadet
Joined
Jun 7, 2023
Messages
2
Hi, I´ve a doubt.

Actually with the parameter (server signing = mandatory) or not the testing result is the same "Message signing enabled but not required" How can I make the result of the test with nmap to be "Message signing enabled and required"? What parameters should I use? Because I have used different ones in different combinations and the result is the same.
 
You must log in or register to reply here.

Similar threads

T
SOLVED SMB Signing
2
Replies
20
Views
9K
TeaBee
T
T
Force smb encryption and signing on a per share basis ?
Replies
2
Views
1K
tiberiusQ
T
ler
SMB Time Machine on 12.0-BETA
2
Replies
30
Views
10K
majorgear
M
K
  • Locked
SMB3 clients - slower performance
Replies
2
Views
3K
cobrakiller58
cobrakiller58
G
FreeNAS Certificate Expired on TrueNAS Core 13 some months ago
Replies
2
Views
365
danb35
danb35
Top