Windows - Security - ENABLE SMB Signing

What the SMB Signing Enabler does

This Automox Worklet™ enables SMB digital signing on Windows endpoints by configuring the EnableSecuritySignature registry value for both SMB client (LanManWorkstation) and SMB server (LanManServer) services. SMB signing adds a cryptographic signature to each SMB packet, allowing recipients to verify that packets have not been modified in transit.

The Worklet configures two registry locations: HKLM:\System\CurrentControlSet\Services\LanManWorkstation\Parameters for the SMB client role and HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters for the SMB server role. Setting EnableSecuritySignature to 1 enables signing capability on both ends of SMB connections.

This configuration differs from SMB signing enforcement. Enabling allows signing when both parties support it, while enforcement (RequireSecuritySignature) refuses connections that cannot be signed. Enable signing first before enforcing to avoid connectivity issues.

Why enable SMB digital signing

SMB relay and man-in-the-middle attacks exploit unsigned SMB connections to intercept or modify file sharing traffic. Attackers positioned on the network can capture NTLM authentication hashes, relay credentials to other systems, or modify files in transit. SMB signing prevents these attacks by making packet tampering detectable.

Security frameworks including CIS Benchmarks recommend enabling SMB signing on all Windows systems. The setting provides protection against network-based attacks without significantly impacting performance on modern systems. SMB 3.0 and later versions handle signing efficiently with minimal overhead.

Enabling SMB signing serves as a prerequisite for enforcement. By enabling signing across your environment first, you can verify compatibility before requiring signed connections. This staged approach reduces the risk of disrupting file sharing access during security hardening.

How SMB signing enablement works

1. Evaluation phase: The Worklet checks the EnableSecuritySignature registry value for both LanManWorkstation and LanManServer parameters. If either value does not equal 1 (enabled), the endpoint requires remediation. The Worklet handles missing registry values as non-compliant.

2. Remediation phase: The Worklet creates the EnableSecuritySignature registry property if it does not exist, or updates the existing value to 1. It applies this configuration to both client and server service parameters. The change takes effect immediately without requiring a reboot.

SMB signing enablement requirements

• Windows 8 or later, Windows Server 2012 or later

• Administrative privileges to modify HKLM registry

• No reboot required

• Compatible with both domain-joined and standalone endpoints

Expected SMB behavior after remediation

After remediation, the endpoint signs SMB packets when connecting to systems that also have signing enabled. Connections to systems without signing enabled continue to work but remain unsigned. You can verify the configuration by checking the EnableSecuritySignature values in both LanManWorkstation and LanManServer Parameters registry keys.

To confirm active signing on connections, use Get-SmbConnection | Select-Object ServerName, SigningEnabled from PowerShell. Once signing is enabled across your environment, consider deploying the ENFORCE SMB Signing Worklet to require signed connections and reject unsigned communication.

How to validate enable smb signing changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for enable smb signing.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as ForEach-Object, Get-ItemPropertyValue, Write-Output.

4. Validate remediation effects from script operations such as ForEach-Object, Get-ItemProperty, New-ItemProperty, then rerun evaluation for compliance.