Digitally sign client communications (always)
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Description
Determines whether the computer will always digitally sign client communications.
The Windows 2000 Server Message Block (SMB) authentication protocol supports mutual authentication, which closes a "man-in-the-middle" attack, and supports message authentication, which prevents active message attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by both the client and the server.
In order to use SMB signing, you must either enable it or require it on both the SMB client and the SMB server. If SMB signing is enabled on a server, then clients that are also enabled for SMB signing will use the packet signing protocol during all subsequent sessions. If SMB signing is required on a server, then a client will not be able to establish a session unless it is at least enabled for SMB signing.
If this policy is enabled, it requires the Windows 2000 SMB client to perform SMB packet signing.
If this policy is disabled, it does not require the SMB client to sign packets.
This policy is defined by default in Local Computer Policy, where it is disabled by default.
.gif "Note Image")
Note
SMB signing will impose a performance penalty on your system. Although it doesn't consume any more network bandwidth, it does use more CPU cycles on the client and server side.