滲透測試弱點修補_SMB Signing not required
SMBv2 signing not required
要注意更改這個風險設定
可能會涉及net disk mount失效
共享網路磁碟相關功能若有調整前請三思!!
This system enables, but does not require SMB signing. SMB signing allows the recipient of SMB packets to confirm their authenticity and helps prevent man in the middle attacks against SMB. SMB 2.x signing can be configured in one of two ways: not required (least secure) and required (most secure).
通常可先開啟powershell做驗證(最後配置好也在做一次check)
Get-SmbServerConfiguration | Select EnableSMB2Protocol
Step1.啟用數位簽章伺服器的通訊(自動)
開啟本機群組原則編輯器:點選左下角開始,於搜尋程式及檔案空白框,輸入「gpedit.msc」指令。
路徑:本機群組原則編輯器->電腦設定->Windows 設定->安全性設定->本機原則->安全性選項->右邊窗格->Microsoft 網路伺服器:數位簽章伺服器的通訊(自動)->點選啟用。
Step2.設定:啟用SMB簽署服務。
開啟啟動登錄編輯器:點選左下角開始,於搜尋程式及檔案空白框,輸入「Regedt32.exe」指令。
路徑:HKEY_LOCAL_MACHINE->SYSTEM->CurrentControlSet->Services
->LanManServer->Parameters->右邊窗格->RequireSecuritySignature->
1(右鍵修改數值資料)。
Ref:
修補弱點SMB Signing not required
SMB Signing not required問題
How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows
Overview of Server Message Block signing
Server Message Block (SMB) Security
How to Enable or Disable SMBv2 in Windows 10 & 11
SMB Signing not required漏洞修復方法
SMB Signing Disabled-已停用 SMB 簽署 (SMB Signing Disabled)
Security Guide: How to Enable & Configure SMB Signing for Microsoft Windows
留言
張貼留言