Enabling this setting through script (if GPO is not available)
ISSUE
Signing is not required on the remote SMB server (workstation or server its the same) which allows an unauthenticated, remote attacker to exploit to conduct a man-in-the-middle (MITM) attack against the SMB server.
The Microsoft Article in regards to this issue is available here
It is easy to configure this setting for more secure communication using a GPO, but what about when you are unable to deliver a GPO onto the end-client, perhaps with AzureAD joined machines or those remote machines only supported with an RMM system.
Registry Commands
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /f /v requiresecuritysignature /t Reg_DWORD /d 1
PowerShell Script
You can make the required changes using a PowerShell Script such as below
Write-Host "Microsoft Network Server: Digitally Sign Communications (Always) to Enabled"
$val = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -Name "requiresecuritysignature"
if($val.AutoCheckSelect -ne 1)
{
set-itemproperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -Name "requiresecuritysignature" -value 1
Write-Host "Microsoft Network Server: Digitally Sign Communications (Always) is now Enabled"
}
else
{
Write-Host "Microsoft Network Server: Digitally Sign Communications (Always) = No change required"
}
You should test any script before using within the enterprise