https://community.netapp.com/t5/Network-and-Storage-Protocols/Enforcing-SMB-Signing/m-p/111258#M7999 <P>Our Security Center / Nessus scanner is reporting that our filers are not requiring SMB signing. &nbsp;This is not good, for security or for compliance/auditing....I must be misunderstanding something?</P><P>&nbsp;</P><P>I have researched&nbsp;the following options:</P><P>&nbsp;</P><UL><LI><FONT face="courier new,courier"><SPAN>options cifs.signing.enable on</SPAN></FONT></LI><LI><SPAN><FONT face="courier new,courier">options cifs.smb2.signing.required on</FONT> (as well as <FONT face="courier new,courier">options cifs.smb2.enable on</FONT>)</SPAN></LI></UL><P>According to NTAP documentation, <FONT face="courier new,courier">options cifs.signing.enable on</FONT> will tell the filer to use SMB signing optionally (depending how the clients want);&nbsp;equivelent to GPO option <STRONG>Microsoft Network server policy: Digitally sign communication (if client agrees).</STRONG>&nbsp; Meanwhile, <FONT face="courier new,courier">options cifs.smb2.signing.required</FONT>&nbsp;will tell the filer to only accept connections from clients that are signed; equivelent to GPO option <SPAN><STRONG>Microsoft Network server policy: Digitally sign communications (always)</STRONG>. &nbsp;Now, this 2nd setting is how we would do it in a windows network to properly secure things, and meet our guidelines. &nbsp;Also, we would not generall turn both settings on. &nbsp;It's one or the other, and the later is the stricter / better one. &nbsp;Seems to me the slam dunk is to just enable <FONT face="courier new,courier">options cifs.smb2.signing.required</FONT>. &nbsp;But that does not work...</SPAN></P><P>&nbsp;</P><P><SPAN>I have tried the following combinations, yet Nessus is still flagging the filers as insecure due to lack of SMB signing. &nbsp;For those of you that use Nessus it's <A href="http://www.tenable.com/plugins/index.php?view=single&amp;id=57608" target="_blank">plug-in ID 57608</A>.</SPAN></P><P>&nbsp;</P><P><SPAN>SETUP 1:</SPAN></P><UL><LI><FONT face="courier new,courier">options cifs.signging.enable.on</FONT></LI><LI><FONT face="courier new,courier">options cifs.smb2.enable on</FONT></LI><LI><FONT face="courier new,courier">options cifs.smb2.signing.required on</FONT></LI></UL><P>SETUP 2:</P><UL><LI><FONT face="courier new,courier">options cifs.signging.enable.off</FONT></LI><LI><FONT face="courier new,courier">options cifs.smb2.enable on</FONT></LI><LI><FONT face="courier new,courier">options cifs.smb2.signing.required on</FONT></LI></UL><P>I guess what I need to know is.....what will it take to <EM><STRONG>require</STRONG> </EM>SMB signing on the CIFS servers / filers? &nbsp;Because both setups above do not work. &nbsp;Clients are still able to connect unsigned.</P> Wed, 04 Jun 2025 23:01:32 GMT JLOCKIE_CEFCU 2025-06-04T23:01:32Z https://community.netapp.com/t5/Network-and-Storage-Protocols/Enforcing-SMB-Signing/m-p/111258#M7999 <P>Our Security Center / Nessus scanner is reporting that our filers are not requiring SMB signing. &nbsp;This is not good, for security or for compliance/auditing....I must be misunderstanding something?</P><P>&nbsp;</P><P>I have researched&nbsp;the following options:</P><P>&nbsp;</P><UL><LI><FONT face="courier new,courier"><SPAN>options cifs.signing.enable on</SPAN></FONT></LI><LI><SPAN><FONT face="courier new,courier">options cifs.smb2.signing.required on</FONT> (as well as <FONT face="courier new,courier">options cifs.smb2.enable on</FONT>)</SPAN></LI></UL><P>According to NTAP documentation, <FONT face="courier new,courier">options cifs.signing.enable on</FONT> will tell the filer to use SMB signing optionally (depending how the clients want);&nbsp;equivelent to GPO option <STRONG>Microsoft Network server policy: Digitally sign communication (if client agrees).</STRONG>&nbsp; Meanwhile, <FONT face="courier new,courier">options cifs.smb2.signing.required</FONT>&nbsp;will tell the filer to only accept connections from clients that are signed; equivelent to GPO option <SPAN><STRONG>Microsoft Network server policy: Digitally sign communications (always)</STRONG>. &nbsp;Now, this 2nd setting is how we would do it in a windows network to properly secure things, and meet our guidelines. &nbsp;Also, we would not generall turn both settings on. &nbsp;It's one or the other, and the later is the stricter / better one. &nbsp;Seems to me the slam dunk is to just enable <FONT face="courier new,courier">options cifs.smb2.signing.required</FONT>. &nbsp;But that does not work...</SPAN></P><P>&nbsp;</P><P><SPAN>I have tried the following combinations, yet Nessus is still flagging the filers as insecure due to lack of SMB signing. &nbsp;For those of you that use Nessus it's <A href="http://www.tenable.com/plugins/index.php?view=single&amp;id=57608" target="_blank">plug-in ID 57608</A>.</SPAN></P><P>&nbsp;</P><P><SPAN>SETUP 1:</SPAN></P><UL><LI><FONT face="courier new,courier">options cifs.signging.enable.on</FONT></LI><LI><FONT face="courier new,courier">options cifs.smb2.enable on</FONT></LI><LI><FONT face="courier new,courier">options cifs.smb2.signing.required on</FONT></LI></UL><P>SETUP 2:</P><UL><LI><FONT face="courier new,courier">options cifs.signging.enable.off</FONT></LI><LI><FONT face="courier new,courier">options cifs.smb2.enable on</FONT></LI><LI><FONT face="courier new,courier">options cifs.smb2.signing.required on</FONT></LI></UL><P>I guess what I need to know is.....what will it take to <EM><STRONG>require</STRONG> </EM>SMB signing on the CIFS servers / filers? &nbsp;Because both setups above do not work. &nbsp;Clients are still able to connect unsigned.</P> Wed, 04 Jun 2025 23:01:32 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/Enforcing-SMB-Signing/m-p/111258#M7999 JLOCKIE_CEFCU 2025-06-04T23:01:32Z https://community.netapp.com/t5/Network-and-Storage-Protocols/Enforcing-SMB-Signing/m-p/111427#M8010 <BLOCKQUOTE>Read through this link:</BLOCKQUOTE><BLOCKQUOTE><A href="https://library.netapp.com/ecmdocs/ECMP1401220/html/GUID-084BBC00-EBD4-4899-AD85-9628368D3AF2.html" target="_self">https://library.netapp.com/ecmdocs/ECMP1401220/html/GUID-084BBC00-EBD4-4899-AD85-9628368D3AF2.html</A></BLOCKQUOTE><BLOCKQUOTE>Part of the discussion is to restart CIFS as part of the process.</BLOCKQUOTE><BLOCKQUOTE>Also, I noticed a typo in your first option. &nbsp;So it looks like the steps would be:</BLOCKQUOTE><BLOCKQUOTE>cifs terminate<BR />options cifs.smb2.enable on<BR />options cifs.signing.enable on<BR />options cifs.smb2.signing.required on<BR />cifs restart</BLOCKQUOTE><P>&nbsp;</P><P>&nbsp;</P> Wed, 21 Oct 2015 01:21:57 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/Enforcing-SMB-Signing/m-p/111427#M8010 mcgue 2015-10-21T01:21:57Z https://community.netapp.com/t5/Network-and-Storage-Protocols/Enforcing-SMB-Signing/m-p/111557#M8023 <P>I see the problem.....ugh.&nbsp; This is not good.&nbsp; I guess my only option is to accept risk, or to stop using CIFS on the filers?&nbsp; How can NetApp not have a way to enforce signing and deny any unsigned requests from clients?&nbsp;</P><P>&nbsp;</P><P><FONT face="arial black,avant garde" size="3"><STRONG>If the client cannot establish an SMB 2.x session with signing, the client <FONT color="#ff0000">falls back to an SMB session with or without signing</FONT>, and the storage system uses whichever the client requests.</STRONG></FONT></P> Thu, 22 Oct 2015 16:16:18 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/Enforcing-SMB-Signing/m-p/111557#M8023 JLOCKIE_CEFCU 2015-10-22T16:16:18Z