Categories
Group Policy Windows Server

Group Policy: Microsoft Network Client Security Options

The Server Message Block (SMB) protocol is the basis for file and printer sharing and other essential networking operations. Configuring Microsoft Network Client Security Options will ensure your domain communications are protected from Man -in-the-Middle (MITM) attacks.

Notice: Before you begin, ensure that this article is relevant to your organization and to the Windows version you’re managing. This article is intended for Windows 20.04 and meant to remain in-line with how the group policy editor is laid-out.

The following group policy options are located in the following area: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Digitally sign communications (always)

Windows Description: This security setting determines whether packet signing is required by the SMB client component.

Recommended Configuration: Enabled.

Rationale: Requiring that communications are to be signed will prevent session hijacking tools from being used by malicious users.

Digitally sign communications (if server agrees)

Windows Description: This security setting determines whether the SMB client attempts to negotiate SMB packet signing.

Recommended Configuration: Enabled.

RationaleIf communication signing is eligible, the client will do so. These communications are then protected against session hijacking tools from being used by malicious users.

Send unencrypted password to third-party SMB servers

Windows Description: Microsoft network client: Send unencrypted password to connect to third-party SMB servers

Recommended Configuration: Disabled.

Rationale: This policy configuration will ensure that plaintext passwords are never transferred over the network. 

Affiliate Links:

Looking to take your web browsing privacy more seriously? Use my referral link to download brave browser and start browsing without ads and trackers:

https://brave.com/hel592

Other Articles:

Find other Windows Server Blogs here.

Sources:

These configurations were established with the help from the following sources:

SANS Sample Policies: Click Here.

CIS Controls: Click Here.

Tech Republic Sample Policies: Click Here.

Leave a Reply

Your email address will not be published. Required fields are marked *