ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Server Message Blocking Signing (SMB) Required for DCS to Function

book

Article ID: 173268

calendar_today

Updated On:

Products

Data Center Security Server Advanced

Issue/Introduction

Occasionally security auditing companies may scan for vulnerabilities on your entire business infrastructure with your approval (Vulnerability Scanning; Nessus for example is a common Vulnerability Scanner used by auditing companies). There may be reports that SMB Signing is either:

  • Enabled
  • Disabled

This applied directly on your DCS Manager in a Windows Server environment. Some companies may even recommend that you enable SMB to ensure packets are sent and received from trusted sources. This begs the question, "Is SMB required for DCS to function?"

Cause

Windows Server either has SMB Enabled or Disabled.

Environment

Windows Family Products include:

  • Windows 2000
  • Windows Server 2008
  • Windows Vista SP1
  • Windows Server 2008 R2
  • Windows 7
  • Windows Server 2012
  • Windows 8
  • Windows 10

To identify if SMB signing is included and what versions it is:

  1. Open PowerShell as Administrator
  2. Type Get-SmbConnection

Resolution

Rather than target SMB directly, we recommend:

  • Upgrading to the latest version of DCS

If you are unable to upgrade DCS to ensure greater security measures, you may also Enable or Disable SMB Signing on the DCS Manager in question, which will not affect communication between Agents and the DCS Manager:

Note: This will affect other timestamps and verification of communication regarding non-repudiation between the Server and between other applications, such as Samba. Consult with your Network and Security Administrator to decide if this option is right for you.

  1. On the Windows Server/Manager in question, click on Start (Windows Key)
  2. Type "Local Security Policy"
  3. Expand Local Policies > Security Options
  4. Locate "Microsoft network server: Digitally sign communications (always)"
  5. Here you may Enable or Disable SMB

Attachments