Ready to learn?

Enforce SMB Signing

๐Ÿ”’ย Secure Bits ๐Ÿ’ก
๐—˜๐—ป๐—ณ๐—ผ๐—ฟ๐—ฐ๐—ถ๐—ป๐—ด ๐—ฆ๐— ๐—• ๐—ฆ๐—ถ๐—ด๐—ป๐—ถ๐—ป๐—ด: ๐—ฆ๐˜๐—ถ๐—น๐—น ๐—ฎ ๐—–๐—ต๐—ฎ๐—น๐—น๐—ฒ๐—ป๐—ด๐—ฒ ๐—ถ๐—ป ๐Ÿฎ๐Ÿฌ๐Ÿฎ๐Ÿฑ?

SMB Signing is one of those security controls thatย everyone shouldย have in place โ€” ๐˜†๐—ฒ๐˜, ๐—บ๐—ฎ๐—ป๐˜† ๐—ฝ๐—ฟ๐—ผ๐—ฑ๐˜‚๐—ฐ๐˜๐—ถ๐—ผ๐—ป ๐—ฒ๐—ป๐˜ƒ๐—ถ๐—ฟ๐—ผ๐—ป๐—บ๐—ฒ๐—ป๐˜๐˜€ ๐˜€๐˜๐—ถ๐—น๐—น ๐—ฑ๐—ผ๐—ปโ€™๐˜.

๐Ÿ’ก๐—ช๐—ต๐˜†?
Until now, itโ€™s been difficult to track which clients or applications would break once you enforce it.

While you could runย Get-SmbConnection | FL *ย from the client side to check signing/encryption status and SMB version, ๐˜๐—ต๐—ถ๐˜€ ๐—ฑ๐—ผ๐—ฒ๐˜€๐—ปโ€™๐˜ ๐˜€๐—ฐ๐—ฎ๐—น๐—ฒ ๐˜„๐—ฒ๐—น๐—น.

But thatโ€™s changing withย Windows Server 2025ย andย Windows 11 24H2.

๐Ÿ†•ย ๐—œ๐—บ๐—ฝ๐—ฟ๐—ผ๐˜ƒ๐—ฒ๐—ฑ ๐—”๐˜‚๐—ฑ๐—ถ๐˜๐—ถ๐—ป๐—ด ๐—ณ๐—ผ๐—ฟ ๐—ฆ๐— ๐—• ๐—ฆ๐—ถ๐—ด๐—ป๐—ถ๐—ป๐—ด ๐—ฎ๐—ป๐—ฑ ๐—˜๐—ป๐—ฐ๐—ฟ๐˜†๐—ฝ๐˜๐—ถ๐—ผ๐—ป
You can now audit clients and servers that doย notย support SMB signing or encryption viaย Event Logs. Hereโ€™s how:

๐Ÿ› ๏ธย ๐—š๐—ฃ๐—ข ๐—ฆ๐—ฒ๐˜๐˜๐—ถ๐—ป๐—ด๐˜€
โ–ช๏ธ Computer ConfigurationAdministrative TemplatesNetwork:
๐Ÿ”น Lanman WorkstationAudit server does not support encryption
๐Ÿ”น Lanman WorkstationAudit server does not support signing
๐Ÿ”น Lanman ServerAudit client does not support encryption
๐Ÿ”น Lanman ServerAudit client does not support signing

๐Ÿ“ย ๐—˜๐˜ƒ๐—ฒ๐—ป๐˜ ๐—Ÿ๐—ผ๐—ด ๐—ฃ๐—ฎ๐˜๐—ต๐˜€ & ๐—˜๐˜ƒ๐—ฒ๐—ป๐˜๐˜€
โ–ช๏ธ Applications and Services LogsMicrosoftWindows:
๐Ÿ”น SMBServerAudit
๐Ÿ”น SMBClientAudit
โžก๏ธ Events:ย 3021โ€“3027

๐Ÿ“ ๐—ง๐—ต๐—ฒ๐—ฟ๐—ฒโ€™๐˜€ ๐—ฎ๐—น๐˜€๐—ผ ๐—ฒ๐˜ƒ๐—ฒ๐—ป๐˜ ๐Ÿฐ๐Ÿฌ๐Ÿฌ๐Ÿฌ, ๐—น๐—ผ๐—ฐ๐—ฎ๐˜๐—ฒ๐—ฑ ๐—ฎ๐˜:
โ–ช๏ธ Applications and Services LogsMicrosoftWindows:
๐Ÿ”น SMBServerConnectivity
๐Ÿ”น SMBClientConnectivity
This seems to be enabled by default in WS2025 and is not controlled by the GPOs above.

โš ๏ธ There was also a Patch Tuesday update (๐—–๐—ฉ๐—˜-๐Ÿฎ๐Ÿฌ๐Ÿฎ๐Ÿฑ-๐Ÿฑ๐Ÿฑ๐Ÿฎ๐Ÿฏ๐Ÿฐ) thatย shouldย backport these auditing features to older Windows versions โ€” but I havenโ€™t been able to reproduce that yet (maybe I misunderstood this CVE). I also found out that registry values are different between WS 2025 and older versions of WS.

๐—”๐˜ ๐—น๐—ฎ๐˜€๐˜, ๐˜„๐—ฒ ๐—ฐ๐—ฎ๐—ป ๐—ฎ๐˜‚๐—ฑ๐—ถ๐˜ ๐˜๐—ต๐—ถ๐˜€ ๐—ฎ๐˜ ๐˜€๐—ฐ๐—ฎ๐—น๐—ฒ โ€” from theย server sideย โ€” and plan for aย safe SMB hardening rollout.

๐—”๐—ฟ๐—ฒ ๐˜†๐—ผ๐˜‚ ๐—ถ๐—ป๐˜๐—ฒ๐—ฟ๐—ฒ๐˜€๐˜๐—ฒ๐—ฑ ๐—ถ๐—ป ๐—”๐—ฐ๐˜๐—ถ๐˜ƒ๐—ฒ ๐——๐—ถ๐—ฟ๐—ฒ๐—ฐ๐˜๐—ผ๐—ฟ๐˜† ๐—ฆ๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜†?ย Check out my free resources:
๐Ÿ‘‰ https://academy.horizon-secured.com/p/free-resources

buy a course