SMB签名和安全

服务器消息块安全性有两个主要组件：用户级和共享级。首先是访问服务器，第二个是如果共享级认证已在服务器上配置的访问文件，文件夹和打印机。本专栏的大多数读者已经了解了SMB安全的这些方面，但你可能不知道叫另一个特点“SMB签名。”这是一个特点，就是在NT4以来的所有Windows版本。它把数字签名到每一个服务器消息块，其被两个SMB客户端和服务器，以防止所谓的“中间人中间人”攻击，并保证SMB通信不会改变。SMB签名可以是“启用”或两者SMB两个客户端和服务器端通信“必需的”。如果SMB是在两台计算机通过SMB通信启用，那么SMB签名将被使用。如果SMB需要在两台计算机通过SMB通信中的一个，那么如果至少有SMB签名的其他计算机启用时才会发生连接。为了明确防止人在这方面的中间人攻击，服务器应设置为需要SMB签名，不仅启用它，因为入侵者可能会剥离出改变的信息包的签名，他们仍然会被接受。目前已经有很多了超过约SMB签名对性能的影响的讨论多年; many have reported a 10% reduction in file copy speed and Microsoft says “up to 15%”. There has also been discussion as to whether it’s really necessary, or superfluous considering other existing security measures: some have said that SMB signing is analogous to locking your office door every time you go get a cup of coffee. (Almost nobody has office doors anymore but you get the idea.) Also, SMB signing can interfere with some versions of TCP optimization products. Finally, if you’re using IPsec, the need for SMB signing may be less pressing, although it will still help prevent “inside jobs” (man-in-the-middle attacks from credentialed users). You can set the SMB signing status via Group Policy; it’s under Computer Configuration, Windows Settings, Security Settings, Local Policies, and Security Option. Look for policies named “Microsoft network client: Digitally sign communications.” Read the voluminous “explain” text for these settings to gain a deeper understanding of each one; check out Jesper Johansson’s interesting article on TechNet titled “How to Shoot Yourself in the Foot with Security;” and if you are going to require SMB signing on your network, plan to do some thorough testing to make sure the change doesn’t create performance or compatibility problems.