Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX 11.00: Advanced Server/9000 Version B.04.03 Release Notes > Chapter 5 Operational Notes

SMB Security Signatures
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

spacerspacerspacer
spacer
spacer
  		 
 

SMB signing is a feature that was added to NT 4.0 in Service Pack 3. This feature has two main improvements: it supports mutual authentication, which closes a "man-in-the- middle" attack, and it supports message authentication, which prevents active message attacks. SMB signing provides this authentication by placing a digital security signature into each SMB, which is then verified by both the client and the server.

In order to use SMB signing, you must either enable it or require it on both the client and the server. If SMB signing is enabled on a server, then clients that are also enabled for SMB signing will use the new protocol during all subsequent sessions and clients that are not enabled for SMB signing will use the older SMB protocol. If SMB signing is required on a server, then a client will not be able to establish a session unless it is enabled for SMB signing.

Two new registry parameters have been added to the "LanmanServer\Parameters" section of the AS/U registry that control server side SMB signing (e.g., signing with NT clients). EnableSecuritySignature controls whether AS/U will negotiate the use of SMB signing with NT clients. RequireSecuritySignature controls whether AS/U requires the use of SMB signing. If RequireSecuritySignature is set, AS/U will refuse connections from clients and servers who do not have EnableSecuritySignature set. Server side SMB signing is disabled by default in AS/U.

Client side SMB signing in AS/U (i.e., the UNIX redirector) is not configurable. The settings are "enabled" but not "required". For more information on how to configure SMB signing on Windows NT, see to Microsoft Knowledge article Q161372 -- How to Enable SMB Signing in Service Pack 3.

Also, SMB signing will impose a performance penalty on your system. Although it doesn't consume any more network bandwidth, it does use more CPU cycles on the client and server side.

SMB Security Signature Bug

The current implementation of security signatures in AS/U 4.0 contains a bug that also exists in the Microsoft implementation introduced in NT 4.0 Service Pack 3. This bug will cause SessionSetupAndX SMBs from NT clients to be falsely rejected as incorrectly signed under certain circumstances.

The following scenario demonstrates the bug:

  1. Create an account for a new user on AS/U 4.0 or NT 4.0 SP3

  2. Log on to the server using a downlevel client (e.g., Lanman 2.2c) and set the user's password from the downlevel client.

  3. Create an account for the user on an NT 4.0 SP3 workstation with the same password. This might happen when, for example, the user's downlevel client is retired and replaced with an NT workstation.

  4. Log on to the NT workstation as that user and try and connect to a share on the server. The user will see an access denied error. A network monitor trace will show the SessionSetupAndX SMB being rejected as incorrectly signed.

When this situation occurs, the only way to permit access to the server for the user is to either change the users password from the AS/U console or an NT client or to disable security signatures on either the client or server. Microsoft has acknowledged the bug.



Controlling ACL File Size
  		 


New Registry Keywords  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1998 Hewlett-Packard Development Company, L.P.