How to disable SMB Signing on Windows Servers to improve SMB performance

When SMB signing is enabled on both the client and server, SMB sessions are authenticated between the machines on a packet by packet basis. This does have a performance hit of between 10 to 15% as every packet’s signature has to be verified. Exinda can still reduce this data but CIFS acceleration will not be as effective.Typically, Windows file servers that also act as a Domain Controller have SMB signing turned on.

To disable SMB signing on the Windows Server 2000 and 2003 perform the following:

  1. Start the Registry Editor (regedit.exe).
  2. Move to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters. In local or group policy editor, navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
  3. From the Edit menu select New – DWORD value.
  4. Add the following two values EnableSecuritySignature and RequireSecuritySignature if they do not exist.
  5. You should set to 0 for disable (the default) or 1 to enable. Enabling EnableSecuritySignature means if the client also has SMB signing enabled then that is the preferred communication method, but setting RequireSecuritySignature to enabled means SMB signing MUST be used and so if the client is not SMB signature enabled then communication will fail. In local or group policy editor, Security Options – Enable: Microsoft network server: Digitally sign communications (always) + (if client agrees).
  6. Close the registry editor.
  7. restart Server.

In addition, default Domain Controller Security Policies may also force these values to “enabled” on Windows Servers.

  1. On Windows 2003 Servers, open Domain Controller Security Policy under Administritive Tools. Expand the Local Policies tree, then expand the Security Options tree and look for:
    • – Microsoft network server: Digitally sign communications (always)
    • – Microsoft network server: Digitally sign communications (if client agrees)
  2. Set both of these values to “Disabled”.

To disable SMB signing on the Windows Server 2008 and 2008 R2 perform the following:

Changes need to be applied in the Group Policy management console.

Start –> Administrative Tools –> Group Policy Management

Configure the Default Domain and Default Domain Controller Policies. The settings you are looking for are under:

Computer Configuration –> Policies –> Windows Settings –> Security
Settings –> LocalPolicies –> Security