Table of Contents
Advertisement
In SMB1, enabling signing significantly decreases performance, especially when going
across a WAN. There is limited degradation in performance with SMB2 and SMB3
signing as compared to SMB1. The performance impact of signing will be greater when
using faster networks.
Configure SMB signing with GPOs
Table 13
on page 47 explains the GPOs available for SMB1 signing.
Note
For SMB2 and SMB3, each version has a GPO for each side (server-side and client-
side) to enable the Digitally sign communications (always) option. Neither server-side
nor client-side has a GPO to enable the Digitally sign communications (if client agrees)
option.
Table 13 SMB1 signing GPOs
GPO name
Microsoft network server:
Digitally sign communications
(always)
Microsoft network server:
Digitally sign communications
(if client agrees)
Microsoft network client:
Digitally sign communications
(always)
Microsoft network client:
Digitally sign communications
(if server agrees)
You can also configure SMB signing through the Windows Registry. If a GPO service is
not available, such as in a Windows NT environment, the Registry settings are used.
Configure SMB signing with the Windows Registry
Registry settings affect only the individual server or client that you configure. Registry
settings are configured on individual Windows workstations and servers and affect
individual Windows workstations and servers.
Note
The following Registry settings pertain to Windows NT with SP 4 or later. These
Registry entries exist in Windows Server, but should be set through GPOs.
The server-side settings are located in: HKEY_LOCAL_MACHINE\System
\CurrentControlSet\Services\lanmanserver\parameters\
Note
For SMB2 and SMB3, each version has a Registry key for each side (server-side and
client-side) to enable the requiresecuritysignature option. Neither server-side nor
client-side has a Registry key to enable the enablesecuritysignature option.
What it controls
Whether the server-side SMB
component requires signing
Whether the server-side SMB
component has signing
enabled
Whether the client-side SMB
component requires signing
Whether the client-side SMB
component has signing
enabled
Protocol (SMB) encryption and signing
Communication Security
Default setting
Disabled
Disabled
Disabled
Enabled
47
Hide quick links:
Advertisement
Table of Contents
Need help?
Do you have a question about the EMC Unity Family and is the answer not in the manual?
Questions and answers