2015-10-16 11:49 AM
Our Security Center / Nessus scanner is reporting that our filers are not requiring SMB signing. This is not good, for security or for compliance/auditing....I must be misunderstanding something?
I have researched the following options:
According to NTAP documentation, options cifs.signing.enable on will tell the filer to use SMB signing optionally (depending how the clients want); equivelent to GPO option Microsoft Network server policy: Digitally sign communication (if client agrees). Meanwhile, options cifs.smb2.signing.required will tell the filer to only accept connections from clients that are signed; equivelent to GPO option Microsoft Network server policy: Digitally sign communications (always). Now, this 2nd setting is how we would do it in a windows network to properly secure things, and meet our guidelines. Also, we would not generall turn both settings on. It's one or the other, and the later is the stricter / better one. Seems to me the slam dunk is to just enable options cifs.smb2.signing.required. But that does not work...
I have tried the following combinations, yet Nessus is still flagging the filers as insecure due to lack of SMB signing. For those of you that use Nessus it's plug-in ID 57608.
I guess what I need to know is.....what will it take to require SMB signing on the CIFS servers / filers? Because both setups above do not work. Clients are still able to connect unsigned.
2015-10-20 06:21 PM
Read through this link:
Part of the discussion is to restart CIFS as part of the process.
Also, I noticed a typo in your first option. So it looks like the steps would be:
options cifs.smb2.enable on
options cifs.signing.enable on
options cifs.smb2.signing.required on
2015-10-22 09:16 AM
I see the problem.....ugh. This is not good. I guess my only option is to accept risk, or to stop using CIFS on the filers? How can NetApp not have a way to enforce signing and deny any unsigned requests from clients?
If the client cannot establish an SMB 2.x session with signing, the client falls back to an SMB session with or without signing, and the storage system uses whichever the client requests.