No announcement yet.

2003 Domain GPO Setting for "Digitally Sign Communications"

  • Filter
  • Time
  • Show
Clear All
new posts

  • 2003 Domain GPO Setting for "Digitally Sign Communications"

    I am in charge of closing some holes a nessus scan found on a high production web server environment, one of the issues is "Signing is disabled on the remote SMB server. This can allow
    man-in-the-middle attacks against the SMB server." And the fix offered is enabling digital signing. I am kind of worried though because microsoft warns against doing this as it may brake some services. It does say to enable both client and server at the same time to ensure it works. These server are mainly port 443, 80, and 8080, and while none of the web services run on 445 I am wondering if you guys could shed some light (maybe through a past personal experience) on what I can expect if I enable this gpo, these servers are high production and I cannot really afford downtime, yet on the other hand I have to answer to the client on any Security Warnings found in Nessus. TIA

    Computer Configuration\Windows Settings\Security Options\Local Policies/Security Options\Microsoft Network Client\

    Microsoft Network Client
    Policy Setting
    Microsoft network client: Digitally sign communications (always) Enabled

    Microsoft Network Server
    Policy Setting
    Microsoft network server: Digitally sign communications (always) Enabled
    Last edited by 200mg; 8th February 2012, 16:47.