Skip to main content

Using SMB signing to enhance network security

SMB signing helps to ensure that network traffic between the SMB server and the client is not compromised; it does this by preventing replay attacks. By default, ONTAP supports SMB signing when requested by the client. Optionally, the storage administrator can configure the CIFS server to require SMB signing.

  • How SMB signing policies affect communication with a CIFS server
    In addition to the CIFS server SMB signing security settings, two SMB signing policies on Windows clients control the digital signing of communications between clients and the CIFS server. You can configure the setting that meets your business requirements.
  • Performance impact of SMB signing
    When SMB sessions use SMB signing, all SMB communications to and from Windows clients experience a performance impact, which affects both the clients and the server (that is, the nodes on the cluster running the SVM containing the SMB server).
  • Recommendations for configuring SMB signing
    You can configure SMB signing behavior between SMB clients and the CIFS server to meet your security requirements. The settings you choose when configuring SMB signing on your CIFS server are dependent on what your security requirements are.
  • Guidelines for SMB signing when multiple data LIFS are configured
    If you enable or disable required SMB signing on the SMB server, you should be aware of the guidelines for multiple data LIFS configurations for an SVM.
  • Enabling or disabling required SMB signing for incoming SMB traffic
    You can enforce the requirement for clients to sign SMB messages by enabling required SMB signing. If enabled, ONTAP accepts SMB messages only if they have valid signatures. If you want to permit SMB signing, but not require it, you can disable required SMB signing.
  • Determining whether SMB sessions are signed
    You can display information about connected SMB sessions on the CIFS server. You can use this information to determine whether SMB sessions are signed. This can be helpful in determining whether SMB client sessions are connecting with the desired security settings.
  • Monitoring SMB signed session statistics
    You can monitor SMB sessions statistics and determine which established sessions are signed and which are not.