SMB Signing not required
操作系统版本:Windows Server 2012 R2
Description
Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to conduct man-in-the-middle attacks against the SMB server.
Solution
Enforce message signing in the host’s configuration. On Windows, this is found in the policy setting ‘Microsoft network server: Digitally sign communications (always)’. On Samba, the setting is called ‘server signing’. See the ‘see also’ links for further details.
See Also
http://www.nessus.org/u?df39b8b3
http://technet.microsoft.com/en-us/library/cc731957.aspx
http://www.nessus.org/u?74b80723
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
http://www.nessus.org/u?a3cac4ea
Output
No output recorded.
操作步骤
配置本地安全策略
通过Windows+R打开运行或在Windows Terminal、Windows PowerShell中打开本地安全策略
secpol.msc
安全设置–>本地策略–>安全选项–>Microsoft 网络服务器:对通信进行数字签名(始终)–>已启用–>确定
或通过Windows+R打开运行或在Windows Terminal、Windows PowerShell中打开注册表
regedit
修改注册表RequireSecuritySignature值为1
路径:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
名称: RequireSecuritySignature
类型: REG_DWORD
值:1
验证
通过Nessus再次扫描验证是否未出现SMB Signing not required