Lessons Learned - Things I wish I had known… » How To Disable SMB Signing in SBS 2003

December 2004
M	T	W	T	F	S	S
		Jan »
	1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Downlevel clients, Macintosh clients running Mac OS 10.X attempting to connect to SMB shares, and some third party devices, such as multi-function printers/scanners, are unable to connect to the server due to SMB signing. Since not all devices are capable of working with signed SMB packets, SMB signing can be disabled on the server to allow access to these clients.

Please note that SMB signing is a security feature and that by disabling it you open the door to certain security risks. This action should be taken only when absolutely necessary.

Instead of making changes to the Default Domain Policy to disable SMB signing, create a new Group Policy Object with the appropriate policy settings. This is in line with the additional Group Policy Objects created by the Small Business Server setup.

At the server, open the Server Management console.
Expand Advanced Management.
Expand Group Policy Management.
Expand the forest.
Expand Domains.
Select the local domain. The SBS policy objects will display in the right-hand pane along with the Default Domain Policy.
Right-click the domain icon (domainname.local) in the console tree and select Create and Link a GPO Here.
Enter “SMB Signing Disabled” (without the quotations marks) for the GPO Name and click OK.
Right-click on the new GPO in the right-hand pane and select Edit to open the Group Policy Object Editor.
Under Computer Configuration, expand Windows Settings.
Expand Security Settings.
Expand Local Policies.
Select Security Options.
In the right-hand pane, scroll down to Microsoft network server: Digitally sign communications (always) and double-click on the policy object.
Select the Disabled radio button and make sure the checkbox is enabled for Define this policy setting.
Click OK.
Close the Group Policy Object Editor.
Right-click on the SMB Signing Disabled policy object and select Enforced. In the Linked Group Policy Objects window, the SMB Signing Disabled object should show Yes under both Enforced and Link Enabled.
Move the SMB Signing Disabled policy just above the Default Domain Policy in the window. The SMB Signing Disabled policy object should be number 5 in the list and the Default Domain Policy should be number 6 for a default SBS installation.
Open a command prompt window on the server.
Type “gpupdate /force” (without the quotation marks) and press Enter.
When the policy update completes, close the command prompt window.

The clients should now be able to connect to the server.