Project

General

Profile

Feature #11033

It's time to require SMB signing by default

Added by Gordon Ross 5 months ago. Updated about 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Start date:
2019-05-15
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

for historical reasons (compatibility with old clients)
our default setting for smb signing is "enabled".
It's time to change the default to "required".
An admin with ancient clients can always change it back to "enabled".

Note that SMB signing can have a significant performance impact. Administrators may want to change the "SMB signing" setting to "enabled" (as it was in earlier releases) if performance is greater concern than defense against "man in the middle" attacks.

History

#1

Updated by Gordon Ross 5 months ago

  • Description updated (diff)
  • Status changed from New to In Progress

Testing: verify SMB signing is required in new installations (examine network capture)

#2

Updated by Electric Monk about 2 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit 58f3189518d9e749f916c2666f0d2914e1fac538

commit  58f3189518d9e749f916c2666f0d2914e1fac538
Author: Gordon Ross <gwr@nexenta.com>
Date:   2019-08-22T21:44:31.000Z

    11033 It's time to require SMB signing by default
    Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
    Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
    Reviewed by: Garrett D'Amore <garrett@damore.org>
    Approved by: Garrett D'Amore <garrett@damore.org>

Also available in: Atom PDF