- Article
Important
Windows Insider and Windows Server Insider builds are in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
How SMB signing works
Server Message Block (SMB) signing is a security feature that uses the session key and cipher suite to add a signature to a message going across a connection. This signature contains a hash of the entire message in the SMB header. If someone tampers with the message in transit, the data in the tampered message doesn't match the hash in the signature. The hash also includes the identities of the original sender and the intended recipient. Signature mismatches alert users to possible foul play, helping them protect their deployments from relay and spoofing attacks.
SMB signing requirements can involve both outbound signing, which covers traffic from the SMB client, and inbound signing, which covers traffic to the server. Windows and Windows Server can require outbound signing only, inbound signing only, both, or neither. For example:
Windows 11 Insiders Enterprise, Pro, and Education require both outbound and inbound SMB signing.
Windows Server Insiders requires outbound SMB signing only.
Windows 11 Insider Home edition doesn't require outbound or inbound SMB signing.
See AlsoImpact when disabling SMBv2/v3 for all Windows Server 2016 OS and above? - Microsoft Q&AIs it recommended to disable both SMB1 and SMB2[Network Place (Samba) Share] How to access the files on Network Devices using SMBv1 in Windows 10 ? | Official Support | ASUS Global[MS-SMB2]: SMB2 ERROR Response
SMB signing behavior
Although all versions of Windows and Windows Server support SMB signing, a third-party may opt to disable or not support it. If you try to connect to a remote share on a third-party SMB server that doesn't allow SMB signing, you may encounter one of the following error messages:
0xc000a000-1073700864STATUS_INVALID_SIGNATURE The cryptographic signature is invalid.To resolve this issue, adjust the settings on your third-party SMB server to allow (enable) SMB signing.
When you try to connect to third-party devices that use guest accounts to simplify access, you may receive one of these error messages:
You can't access this shared folder because your organization's security policies blockunauthenticated guest access. These policies help protect your PC from unsafe or maliciousdevices on the network.Error code: 0x80070035The network path was not found.System error 3227320323 has occurred.Disabling SMB signing may be necessary if you're unable to disable guest usage for your third-party. However, this means that you're using guest access and preventing your client from ensuring signing to a trusted device.
Caution
We don't recommend disabling SMB signing as a workaround for third-party servers. We also don't recommend trying to sign with guest accounts.
Prerequisites
In order to control SMB signing behavior and maximize its capabilities, your system must be running one of the following two operating systems:
- Windows 11 Insider Preview Build 25905 or later
- Windows Server Preview Build 26010 or later
You should also follow these recommendations to ensure your SMB signatures are effective at securing your data:
- Use Kerberos instead of NTLMv2.
- Don't connect to shares using IP addresses.
- Don't use CNAME DNS records. Instead, assign alternate computer names with NETDOM.EXE.
Disable SMB signing
SMB signing is required by default on the latest Insider Preview builds of Windows 11 and Windows Server. All Windows environments support SMB signing. However, if your environment uses third-party servers and the third-party server doesn't support SMB signing, you can't connect to the remote share.
Requiring SMB signing also disables guest access to shares. In these cases, you must disable SMB signing manually to restore access for guest accounts. You can manually disable SMB signing through Group Policy, PowerShell, and Windows Admin Center.
Note
If you need to modify the Active Directory domain-based group policy, use Group Policy Management (gpmc.msc).
- Group Policy
- PowerShell
- Windows Admin Center
To disable SMB signing in Group Policy, perform the following steps:
Select Start, type gpedit.msc, then hit Enter.
In the Local Group Policy Editor, navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
Open Microsoft network client: Digitally sign communications (always), select Disabled, then select OK.
Enable SMB signing
SMB signing ensures data integrity by verifying that data isn't tampered with during transmission. Additionally, SMB signing provides authentication by verifying the identity of the server and client, which helps prevent adversary-in-the-middle attacks.
- Group Policy
- PowerShell
- Windows Admin Center
To enable SMB signing in Group Policy, perform the following steps:
Select Start, type gpedit.msc, then hit Enter.
In the Local Group Policy Editor, navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
Open Microsoft network client: Digitally sign communications (always), select Enabled, then select OK.
Verify SMB signing status
To check if SMB signing is enabled or disabled on your SMB client or SMB server, run the following command:
Get-SmbClientConfiguration | FL RequireSecuritySignatureGet-SmbServerConfiguration | FL RequireSecuritySignatureIf the returned information is True, then SMB signing is enabled, otherwise, if the returned information is False, then SMB signing is disabled.
Related content
Overview of File Sharing using the SMB 3 protocol in Windows Server
SMB over QUIC
SMB security enhancements
How to enable insecure guest logons in SMB2 and SMB3
