SMB and LDAP Signing: Why It Matters

SMB and LDAP signing prevent man-in-the-middle and relay attacks that could lead to credential theft and privilege escalation.

What Are Relay Attacks?

In a relay attack, an attacker intercepts authentication traffic and forwards it to another system, using the victim's credentials to authenticate. Without signing, the attacker can modify the traffic or redirect it to a system they control.

SMB Signing

SMB (Server Message Block) is used for file sharing and remote administration. Without SMB signing, attackers can:

• Intercept SMB traffic
• Relay authentication to other systems
• Access file shares or execute commands using stolen credentials

Configuration

On Domain Controllers: SMB signing should be required (not just enabled), which is the default nowadays.

On Member Servers: SMB signing should be required.

On Workstations: SMB signing should be required.

How to Enable

Via Group Policy:

• Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
• "Microsoft network server: Digitally sign communications (always)" = Enabled
• "Microsoft network server: Digitally sign communications (if client agrees)" = Enabled
• "Microsoft network client: Digitally sign communications (always)" = Enabled
• "Microsoft network client: Digitally sign communications (if client agrees)" = Enabled

LDAP Signing

LDAP (Lightweight Directory Access Protocol) is used to query and modify Active Directory. Without LDAP signing, attackers can:

• Intercept LDAP queries
• Modify responses to redirect authentication
• Perform man-in-the-middle attacks

Configuration

LDAP Signing: Should be required for all LDAP traffic to prevent NTLM relay attacks to the LDAP service.

LDAP Channel Binding: Should be required to prevent NTLM relay attacks to the LDAPS service.

How to Enable

Via Group Policy:

• Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
• "Domain controller: LDAP server signing requirements" = "Require signing"
• "Domain controller: Domain controller: LDAP server channel binding token requirements" = "Always"

For clients:

• "Network security: LDAP client signing requirements" = "Require signing"

Why It Matters

Without signing:

• Attackers can intercept and relay authentication
• Credentials can be stolen and reused
• Privilege escalation becomes easier
• Domain compromise risk increases

With signing:

• Traffic integrity is verified
• Relay attacks are prevented
• Credential theft is harder
• Security posture improves

Detection

Check current configuration:

• Use PowerShell: Get-SmbServerConfiguration and Get-SmbClientConfiguration
• Review Group Policy settings
• Check event logs for unsigned connection attempts

Remediation

1. Enable SMB signing: Required on DCs, servers and workstations
2. Enable LDAP signing: Required on all domain controllers
3. Enable LDAP channel binding: Required on all domain controllers when LDAPS is configured
4. Test compatibility: Ensure applications work with signing enabled
5. Monitor for failures: Alert on unsigned connection attempts
6. Document exceptions: If signing cannot be enabled, document why and plan mitigations until proper remediation can be implemented