Vulnerability scanner (rapid7, metasploit, runzero, kali) shows "SMB signing not required"
Disabling SMB1 is necessary and well documented:
https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server
Remember that SMB1 can be both SERVER and CLIENT on the same system.
But disabling SMB1 is not the same as REQUIRING SIGNING. That's what this note is saying.
You can inspect on a per-system basis via regedit:
reg query HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
reg query HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
You will see the following:
EnablePlainTextPassword REG_DWORD 0x0
EnableSecuritySignature REG_DWORD 0x1
RequireSecuritySignature REG_DWORD 0x0
To require signing, either set via regedit:
echo y | reg add HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters /t REG_DWORD /v RequireSecuritySignature /d 1
echo y | reg add HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /t REG_DWORD /v RequireSecuritySignature /d 1
Or set via Group Policy:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
Find "Microsoft network client: Digitally sign communications (always)"
Set to ENABLE
Find "Microsoft network server: Digitally sign communications (always)"
Set to ENABLE