Our Security Center / Nessus scanner is reporting that our filers are not requiring SMB signing.  This is not good, for security or for compliance/auditing....I must be misunderstanding something?

I have researched the following options:

• options cifs.signing.enable on
• options cifs.smb2.signing.required on (as well as options cifs.smb2.enable on)

According to NTAP documentation, options cifs.signing.enable on will tell the filer to use SMB signing optionally (depending how the clients want); equivelent to GPO option Microsoft Network server policy: Digitally sign communication (if client agrees).  Meanwhile, options cifs.smb2.signing.required will tell the filer to only accept connections from clients that are signed; equivelent to GPO option Microsoft Network server policy: Digitally sign communications (always).  Now, this 2nd setting is how we would do it in a windows network to properly secure things, and meet our guidelines.  Also, we would not generall turn both settings on.  It's one or the other, and the later is the stricter / better one.  Seems to me the slam dunk is to just enable options cifs.smb2.signing.required.  But that does not work...

I have tried the following combinations, yet Nessus is still flagging the filers as insecure due to lack of SMB signing.  For those of you that use Nessus it's plug-in ID 57608.

SETUP 1:

• options cifs.signging.enable.on
• options cifs.smb2.enable on
• options cifs.smb2.signing.required on

SETUP 2:

• options cifs.signging.enable.off
• options cifs.smb2.enable on
• options cifs.smb2.signing.required on

I guess what I need to know is.....what will it take to require SMB signing on the CIFS servers / filers?  Because both setups above do not work.  Clients are still able to connect unsigned.