Share via

[MS-SMB2] Client behavior when server requires signing and allows Guest authentication

Tal Aloni 5 Reputation points
2024-07-18T18:37:21.03+00:00

According to the MS-SMB2 specifications:

From Section 3.2.5.2:

If the SecurityMode field in the SMB2 header of the response has the SMB2_NEGOTIATE_SIGNING_REQUIRED bit set, the client MUST set Connection.RequireSigning to TRUE

From Section 3.2.5.3.1:

If the global setting RequireMessageSigning is set to TRUE or Connection.RequireSigning is set to TRUE then Session.SigningRequired MUST be set to TRUE, otherwise Session.SigningRequired MUST be set to FALSE

From Section 3.2.5.3.1:

If the SMB2_SESSION_FLAG_IS_GUEST bit is set in the SessionFlags field of the SMB2 SESSION_SETUP Response and if Session.SigningRequired is TRUE, this indicates a SESSION_SETUP failure and the connection MUST be terminated.

However, when a Windows 7 client communicates with Microsoft Windows Server 2019 Standard build 10.0.17763 I am witnessing the following during a client-server session:

  1. The SecurityMode field in the SMB2 header of the response has the SMB2_NEGOTIATE_SIGNING_REQUIRED bit set.
  2. the SMB2_SESSION_FLAG_IS_GUEST bit is set in the SessionFlags field of the SMB2 SESSION_SETUP Response.
  3. The subsequent TreeConnect request is not signed.

I can provide packet capture (please specify an email to send to)

I would like to get clarifications regarding this behavior and how does it align with the specifications quoted above. Thank you!

Windows Open Specifications
Windows Open Specifications
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Open Specifications: Technical documents for protocols, computer languages, standards support, and data portability. The goal with Open Specifications is to help developers open new opportunities to interoperate with Windows, SQL, Office, and SharePoint.
42 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Obaid Farooqi MSFT 591 Reputation points Microsoft Employee
    2024-07-26T16:51:07.8033333+00:00

    Hi @Tal Aloni

    I have finished my investigation on this issue.

    In MS-SMB2, section "3.2.5.3.1 Handling a New Authentication", it is stated that:

    "

    If the SMB2_SESSION_FLAG_IS_GUEST bit is set in the SessionFlags field of the SMB2 SESSION_SETUP Response and if RequireMessageSigning is FALSE, Session.SigningRequired MUST be set to FALSE.

    "

    This allows the session to continue since Session.SigningRequired is false and therefore disconnection is not enforced by client.

    Please let me know if this does not answer your question.

    Regards,

    Obaid Farooqi - MSFT

    0 comments
  2. Tal Aloni 5 Reputation points
    2024-07-27T15:35:11.1833333+00:00

    Hi Obaid,

    Sorry for my delay in response, my email alerts were turned off for some reason.

    I have sent the packet capture.

    My understanding from the packet capture is:

    1. the client MUST set Connection.RequireSigning to TRUE
    2. Session.SigningRequired MUST be set to TRUE

    The quote you provided is sort of out of context as there is another sentence leading up to it, I think something should be clarified here - I'm having a hard time accepting that the behavior I'm seeing is according the the specifications.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.