Windows - Security - ENFORCE SMB Signing

What the SMB Signing Enforcer does

This Automox Worklet™ enforces mandatory SMB digital signing on Windows endpoints by configuring the RequireSecuritySignature registry value for both SMB client (LanManWorkstation) and SMB server (LanManServer) services. Unlike enabling SMB signing, enforcement requires all SMB connections to be signed, refusing any connection that cannot be signed.

The Worklet configures two registry locations: HKLM:\System\CurrentControlSet\Services\LanManWorkstation\Parameters for the SMB client role and HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters for the SMB server role. Setting RequireSecuritySignature to 1 makes signing mandatory for all SMB communications.

The Worklet examines registry keys including HKLM:\System\CurrentControlSet\Services\LanManWorkstation\Parameters, HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters.

The change takes effect immediately without requiring a reboot. If you experience connectivity issues after enforcement, you can revert by setting $requireSMBSigning to 0 and re-running the Worklet.

Why enforce SMB digital signing

SMB relay attacks remain effective when signing is enabled but not enforced, as attackers can force endpoints to downgrade to unsigned connections. Enabling SMB signing without enforcement allows signed connections when both parties support signing, but permits unsigned connections as a fallback. This Worklet eliminates this attack vector by refusing unsigned connections entirely, blocking relay attacks even when attackers position themselves on the network path.

SMB relay attacks remain effective against environments that enable but do not enforce signing. By requiring signed connections, you prevent attackers from capturing and relaying SMB authentication traffic even when they have positioned themselves on the network path. This provides stronger protection for file shares, print services, and other SMB-based resources.

CIS Benchmarks recommend enforcing SMB signing on all Windows systems for maximum protection. The performance impact on modern systems is minimal, and SMB 3.0 includes hardware acceleration for signing operations on supported processors.

How SMB signing enforcement works

1. Evaluation phase: The Worklet checks the RequireSecuritySignature registry value for both LanManWorkstation and LanManServer parameters. If either value does not equal 1 (required), the endpoint requires remediation. Missing registry values are treated as non-compliant.

2. Remediation phase: The Worklet creates the RequireSecuritySignature registry property if it does not exist, or updates the existing value to 1. It applies this configuration to both client and server service parameters. The change takes effect immediately for new connections.

SMB signing enforcement requirements

• Windows 8 or later, Windows Server 2012 or later

• Administrative privileges to modify HKLM registry

• All file servers and clients in the environment must support SMB signing

• Deploy ENABLE SMB Signing Worklet first to enable signing before enforcing

Expected SMB behavior after enforcement

After remediation, the endpoint refuses any SMB connection that cannot be digitally signed, creating an immediate security enhancement. Attempts to connect to servers that do not support signing will fail with access denied errors. You can verify this setting by checking the RequireSecuritySignature values in both LanManWorkstation and LanManServer Parameters registry keys - both will show a value of 1.

You can verify the configuration by checking the RequireSecuritySignature values in both LanManWorkstation and LanManServer Parameters registry keys. If connectivity issues arise, identify the servers lacking signing support by reviewing failed connection logs. You can temporarily revert by setting $requireSMBSigning to 0 while addressing compatibility issues.

How to validate enforce smb signing changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for enforce smb signing.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as RE-RUNNING, ForEach-Object, Get-ItemPropertyValue.

4. Validate remediation effects from script operations such as RE-RUNNING, ForEach-Object, Get-ItemProperty, then rerun evaluation for compliance.