Network and Storage Protocols

Enforcing SMB Signing...?

JLOCKIE_CEFCU
5,118 Views

Our Security Center / Nessus scanner is reporting that our filers are not requiring SMB signing.  This is not good, for security or for compliance/auditing....I must be misunderstanding something?

 

I have researched the following options:

 

  • options cifs.signing.enable on
  • options cifs.smb2.signing.required on (as well as options cifs.smb2.enable on)

According to NTAP documentation, options cifs.signing.enable on will tell the filer to use SMB signing optionally (depending how the clients want); equivelent to GPO option Microsoft Network server policy: Digitally sign communication (if client agrees).  Meanwhile, options cifs.smb2.signing.required will tell the filer to only accept connections from clients that are signed; equivelent to GPO option Microsoft Network server policy: Digitally sign communications (always).  Now, this 2nd setting is how we would do it in a windows network to properly secure things, and meet our guidelines.  Also, we would not generall turn both settings on.  It's one or the other, and the later is the stricter / better one.  Seems to me the slam dunk is to just enable options cifs.smb2.signing.required.  But that does not work...

 

I have tried the following combinations, yet Nessus is still flagging the filers as insecure due to lack of SMB signing.  For those of you that use Nessus it's plug-in ID 57608.

 

SETUP 1:

  • options cifs.signging.enable.on
  • options cifs.smb2.enable on
  • options cifs.smb2.signing.required on

SETUP 2:

  • options cifs.signging.enable.off
  • options cifs.smb2.enable on
  • options cifs.smb2.signing.required on

I guess what I need to know is.....what will it take to require SMB signing on the CIFS servers / filers?  Because both setups above do not work.  Clients are still able to connect unsigned.

2 REPLIES 2

mcgue
5,037 Views
Read through this link:
https://library.netapp.com/ecmdocs/ECMP1401220/html/GUID-084BBC00-EBD4-4899-AD85-9628368D3AF2.html
Part of the discussion is to restart CIFS as part of the process.
Also, I noticed a typo in your first option.  So it looks like the steps would be:
cifs terminate
options cifs.smb2.enable on
options cifs.signing.enable on
options cifs.smb2.signing.required on
cifs restart

 

 

JLOCKIE_CEFCU
4,999 Views

I see the problem.....ugh.  This is not good.  I guess my only option is to accept risk, or to stop using CIFS on the filers?  How can NetApp not have a way to enforce signing and deny any unsigned requests from clients? 

 

If the client cannot establish an SMB 2.x session with signing, the client falls back to an SMB session with or without signing, and the storage system uses whichever the client requests.

Public