Microsoft network client: Digitally sign communications (always)

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options


Determines whether the computer always digitally signs client communications.

The Windows 2000 Server, Windows 2000 Professional, and Windows XP Professional authentication protocol Server Message Block (SMB) supports mutual authentication, which closes a "man-in-the-middle" attack and supports message authentication, which prevents active message attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by both the client and the server.

To use SMB signing, you must either enable it or require it on both the SMB client and the SMB server. If SMB signing is enabled on a server, clients that are also enabled for SMB signing use the packet signing protocol during all subsequent sessions. If SMB signing is required on a server, a client is not able to establish a session, unless it is at least enabled for SMB signing.

If this policy is enabled, it requires the SMB client to sign packets. If this policy is disabled, it does not require the SMB client to sign packets.

Default: Disabled



SMB signing imposes a performance penalty on your system. Although it does not consume any more network bandwidth, it does use more CPU cycles on the client and server side.

For more information, see:

Security Configuration Manager Tools

© 2017 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies