question

JoshuaThompson-9840 avatar image
0 Votes"
JoshuaThompson-9840 asked JoshuaThompson-9840 answered

SMB Signing

I have the below policies pushed out on the Default Domain Policy for my organization.
Computer > Policies > Windows Settings > Security> Local Policies > Security Options > Microsoft network server: Digitally sign communications (always)
Computer > Policies > Windows Settings > Security> Local Policies > Security Options > Microsoft network client: Digitally sign communications (always)

If I run an RSOP on the various server I can verify the policy settings are in place.

When I run 'Get-SMBConnection' on various servers I can see SMB Connections.
When I run 'Get-SMBConnection | fl signed' I see some of these connections shows 'signed: True' and some show 'signed: False'.

Servers are all Win 2016 / 2019

If the policy is pushed out via the default domain policy why arent all the connections showing 'signed: True'?

What am I missing?

windows-serverwindows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AsterWeiMSFT-8201 avatar image
0 Votes"
AsterWeiMSFT-8201 answered DaisyZhou-MSFT edited

Hello @JoshuaThompson-9840,

Thank you for posting here.

From the link below, we can see the function of the following two commands is:
Get connections from an SMB client to SMB servers.

Get-SmbConnection
'Get-SMBConnection | fl signed'

Get-SmbConnection
https://docs.microsoft.com/en-us/powershell/module/smbshare/get-smbconnection?view=windowsserver2019-ps


Please troubleshot as below:
1.Force entire AD replication by running command repadmin /syncall /AdeP on one DC.

2.Wait about ten minutes, run gpupdate /force on machine showing 'signed: False'.

3.Please check the gpresult report on machine showing 'signed: False'.

Logon the machine using domain Administrator.
Open CMD (run as Administrator).
Type gpresult /h C:\gpo.html and click Enter.
Open gpo.html and check if the following two settings are enabled under “Computer Details”.

Computer > Policies > Windows Settings > Security> Local Policies > Security Options > Microsoft network server: Digitally sign communications (always)==>Enabled
Computer > Policies > Windows Settings > Security> Local Policies > Security Options > Microsoft network client: Digitally sign communications (always)==>Enabled

If all above is OK, please access the shared folder on machine showing 'signed: False'.

Then check the SMB connection again using the commands below.

Get-SmbConnection
'Get-SMBConnection | fl signed'


Hope the information above is helpful to you.

Should you have any question or concern, please feel free to let us know.




Best Regards,
Aster Wei

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JoshuaThompson-9840 avatar image
0 Votes"
JoshuaThompson-9840 answered

I ran a test and the 'Get-SMBConnection | fl signed' did not come back with all connections showing as TRUE until the server was restarted.
I will restart other servers tonight and confirm if this was a one time occurrence or if this restart fixed the problem.
'
Thank you,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JoshuaThompson-9840 avatar image
0 Votes"
JoshuaThompson-9840 answered

No restart needed. Just patience :)
After checking again, all connections on ALL my servers are coming back with SMB signed TRUE except for 1 connection.





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.