The explanation of this and the immediately related settings appear inconsistent and/or incorrect. For example:
"To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). Computers that have this policy set will not be able to communicate with computers that do not have server-side packet signing enabled."
The setting reads "if server agrees" so if the server does not agree, then signing is not enforced, right? Why would computers with this setting be unable to communicate with systems lacking SMB signing?
Similarly, the Countermeasures section instructs us to disable the "always" settings and enable the "if agree" settings. This would leave communications vulnerable for any connections where either side does not have SMB signing enabled, right? That's not a reliable countermeasure!
The relationship between these settings should be clarified. Is there a reason why two registry entries were used, rather than a single entry with three values: OFF; If agreed; Always?
What is the interaction between the "always" setting and the "if agree" setting? Does "always" over-ride "if agree"?
Jaime Castells, CISSP CSSLP
Information Security Architect
CareSource
937-531-3441