SMB Signing and the Proxy

In the world of file sharing, anyone with a Microsoft environment knows that SMB Signing is one way to ensure that the client is talking with the server that its supposed to. SMB Signing guarantees that the there's no device in between the client and the server intercepting the traffic and stealing company secrets or hacking in trying a man-in-the-middle attack.

That's a great philosophy if you know your network is secure and you have no devices in the way that will interfere with the network traffic. The problem of course comes into play when you talk about devices that do interrupt the flow of network traffic. Devices that are designed to terminate network traffic, like the proxy. If you've deployed an in-line proxy, you already know that you have to make exceptions for specific types of traffic and allow that traffic to bypass the proxy. We've talked about some of these different types of traffic in previous articles here, including VoIP. SMB Signing falls into this bucket as well. In order to guarantee you're going to file share you want to go using SMB Signing, you'll need to make sure your proxy can allow traffic for SMB Signing to go through in bypass mode.

Where's the problem in all of this? There are some proxies that will allow you to intercept SMB Signing from the client and let the proxy claim it is the file server, and the re-establish the connection to the file server from the proxy. Essentially, a man-in-the-middle. While this approach may work (meaning the client can successfully connect through and get files), it seems some how wrong as it has broken the essential trust model that SMB signing was based on to begin with. If SMB Signing guarantees you're talking with the file server you're think you are, how does allowing a man-in-the-middle keep that trust? If your proxy can be a man-in-the-middle in SMB Signing, why can't something with malicious intent do the same thing and without your knowledge?

Perhaps it's best to let SMB Signing do what it's supposed to. Guarantee you're talking to the server you think you are. Bypass that traffic on the proxy, and there's no worries if you ever need to audit the connection and figure out what happened to that traffic.