NT Gatekeeper: Protecting Your Systems from SMB Hijacking

\[Editor's Note: Do you have a security-related question about Windows NT? Send it to [email protected], and you might see the answer in this column!\]

Recently, Server Message Block (SMB) hijacking attacks have been in the news. These attacks are mounted with a tool called SMBRelay, which could (but no longer can) be downloaded for free from the Internet. Using SMBRelay, an intruder can relatively easily launch an attack against SMB protocol exchanges and steal, for example, Windows NT LAN Manager (NTLM) password hashes. What's the best way to protect my systems against SMB hijacking?

The SMB protocol plays an important role in client-to-server communications on the NT platform. An SMB-Relay SMB hijacking attack exploits the backward compatibility that Microsoft maintains with systems running earlier versions of the SMB protocol in their NT 4.0 SMB code. In the context of this attack, the SMB server (in this case, the machine running SMBRelay) negotiates the most primitive level of client-to-server authentication when NT's networking software sets up the SMB session. SMBRelay can then retrieve NTLM password hashes, which the attacker can input into a password-cracking program such as @stake's L0phtCrack.

Full protection against SMB hijacking requires a combination of physical, logical, and organizational security measures. However, NT 4.0 Service Pack 3 (SP3) and later includes a cryptographic mechanism called SMB signing, which authenticates individual SMB packets and provides at least some protection against SMB hijacking.

Two registry values control SMB signing behavior: EnableSecuritySignature and RequireSecuritySignature. You can find the EnableSecuritySignature registry value (of type REG_DWORD) in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters subkey. When you set the EnableSecuritySignature value to 1, you enable the NT system to support SMB signing. You can find the RequireSecuritySignature value (of type REG_DWORD) in the HKEY_LOCAL_MACHINE\SYSTEM\Current-ControlSet\Services\Rdr\Parameters subkey. When you set the RequireSecuritySignature value to 1, the NT system refuses to communicate with any system that doesn't have SMB signing enabled. When you set RequireSecuritySignature to 0, communication between the SMB client and server occurs even when one of them hasn't been enabled for SMB signing. By default, installing NT 4.0 SP3 disables SMB signing on server systems and enables it on workstation systems. (For more information about enabling SMB signing, see the Microsoft article "How to Enable SMB Signing in Windows NT" at http://support.microsoft.com/directory/article.asp?id=kb;en-us; q161372.)

Because SMB signing signs and verifies every SMB packet, the mechanism decreases system performance by an average of 10 to 15 percent. And enforcing SMB signing on all your Windows machines can't completely protect your SMB clients from attacks by a fake server running SMBRelay. Even when you control the SMB settings on all your NT servers, an intruder might succeed in physically inserting an SMB server into your network and forcing SMB clients to use the most primitive level of authentication. Nevertheless, SMB signing is an administrator's best protection against SMB hijacking.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish