How SMB signing policies affect communication with a CIFS server
In addition to the CIFS server SMB signing security settings, two SMB signing policies on Windows clients control the digital signing of communications between clients and the CIFS server. You can configure the setting that meets your business requirements.
Client SMB policies are controlled through Windows local security policy settings, which are configured by using the Microsoft Management Console (MMC) or Active Directory GPOs. For more information about client SMB signing and security issues, see the Microsoft Windows documentation.
Here are descriptions of the two SMB signing policies on Microsoft clients:
Microsoft network client: Digitally sign communications (if server agrees)
This setting controls whether the client’s SMB signing capability is enabled. It is enabled by default. When this setting is disabled on the client, the client communications with the CIFS server depends on the SMB signing setting on the CIFS server.
Microsoft network client: Digitally sign communications (always)
This setting controls whether the client requires SMB signing to communicate with a server. It is disabled by default. When this setting is disabled on the client, SMB signing behavior is based on the policy setting for Microsoft network client: Digitally sign communications (if server agrees) and the setting on the CIFS server.
NoteIf your environment includes Windows clients configured to require SMB signing, you must enable SMB signing on the CIFS server. If you do not, the CIFS server cannot serve data to these systems.
The effective results of client and CIFS server SMB signing settings depends on whether the SMB sessions uses SMB 1.0 or SMB 2.x and later.
The following table summarizes the effective SMB signing behavior if the session uses SMB 1.0:
| Client | ONTAP—signing not required | ONTAP—signing required |
|---|---|---|
| Signing disabled and not required | Not signed | Signed |
| Signing enabled and not required | Not signed | Signed |
| Signing disabled and required | Signed | Signed |
| Signing enabled and required | Signed | Signed |
The following table summarizes the effective SMB signing behavior if the session uses SMB 2.x or SMB 3.0:
| Client | ONTAP—signing not required | ONTAP—signing required |
|---|---|---|
| Signing not required | Not signed | Signed |
| Signing required | Signed | Signed |
The following table summarizes the default Microsoft client and server SMB signing behavior:
| Protocol | Hash algorithm | Can enable/disable | Can require/not require | Client default | Server default | DC default |
|---|---|---|---|---|---|---|
| SMB 1.0 | MD5 | Yes | Yes | Enabled (not required) | Disabled (not required) | Required |
| SMB 2.x | HMAC SHA-256 | No | Yes | Not required | Not required | Required |
| SMB 3.0 | AES-CMAC. | No | Yes | Not required | Not required | Required |
Microsoft no longer recommends using Digitally sign communications (if client agrees) or Digitally sign communications (if server agrees) Group Policy settings. Microsoft also no longer recommends using the EnableSecuritySignature registry settings. These options only affect the SMB 1 behavior and can be replaced by the Digitally sign communications (always) Group Policy setting or the RequireSecuritySignature registry setting. You can also get more information from the Microsoft Blog.