4

I've been having some strange file copy issues between a Windows 10 client and Window Server 2019 system (DC/Fileserver).

I don't want to explain that issue in detail here other than to say it appears it is caused by SMB signing (random Invalid Signature on file copies). I have validated that the issue goes away when using SMB encryption (implemented by enabling RequirePrivacy=1 in Hardened UNC path setting). My Wireshark capture shows in the Negotiate Protocol Response (SMB 3.1.1 is used dialect):

Security mode: 0x03, Signing enabled, Signing required
.... ...1 = Signing enabled: True
.... ..1. = Signing required: True

However according to Microsoft

When requiring SMB Encryption, SMB Signing is not used, regardless of settings. SMB Encryption implicitly provides the same integrity guarantees as SMB Signing

So, in effect I have disabled signing by using encryption instead. With this enabled my "issue" doesn't exist.

I would like to try this without the use of encryption and instead with signing disabled. Unfortunately, I can't get windows to turn this off. I have done the following:

1) Configured my local Windows 10 client's security policy:

Microsoft network client: Digitally sign communications (always) = DISABLED

Microsoft network client: Digitally sign communications (if server agrees) = DISABLED

(The second setting according to Microsoft shouldn't even be required for SMB2 communication)

2) Configured my Windows Server 2019 DC via the Domain Controllers GPO:

Microsoft network server: Digitally sign communications (always) = DISABLED

Microsoft network server: Digitally sign communications (if client agrees) = DISABLED

(The second setting according to Microsoft shouldn't even be required for SMB2 communication)

Based on my understanding that should be all that is required to disable SMB2 signing. However I have additionally tried the following:

Disabled SecuritySignature on the DC's SMB:

- Set-SmbServerConfiguration -EnableSecuritySignature $false

- Set-SmbServerConfiguration -RequireSecuritySignature $false

I'm not sure if the above actually deal with SMB2 signing or only SMB1, but I set them anyway in addition to disabling these on my client (Set-SmbClientConfiguration settings)

I have also tried to set the UNC Hardening keys on my Windows 10 system to RequireIntegrity=0.

None of these settings work to disable SMB signing. The best I get in my Wireshark capture Negotiate Protocol Response is:

Security mode: 0x01, Signing enabled
.... ...1 = Signing enabled: True
.... ..0. = Signing required: False

So I've succeeded in disabling the requirement for signing, but I can't actually get the signing to turn off.

I can't find anything that states that signing can't be disabled, so either there is a bug - or I'm missing something.

Help?

BenH
  • 61
  • 1
  • 5
  • Any luck? Thought I'd take a stab by asking [here](https://www.reddit.com/r/sysadmin/comments/gb2gta/how_to_disable_smb_signing_encryption_for_windows/) as well. – ylluminate Apr 30 '20 at 20:01
  • 1
    Nothing. I've posted related issues on MS forums: https://social.technet.microsoft.com/Forums/en-US/16b8de48-b711-4014-8a85-e3363b05cfab/error-0x80090006-invalid-signature-copying-files-from-windows-server-2019-to-windows-10-smb3?forum=ws2019 and https://social.technet.microsoft.com/Forums/en-US/f7d74b9b-f994-4118-b46e-abce0b62fa60/unable-to-disable-secure-negotiate-for-smb3-on-windows-server-2019-windows-10?forum=ws2019 But the help there is non-existent. MS is getting worse and worse in not updating documentation as the product evolves, so there is no information anywhere. – BenH May 01 '20 at 21:52

0 Answers0