How to determine if a SMB Client has established a Signed SMB communication from my Windows Server 2012?

windows-server-2012 network-share server-message-block

Solution 1:

As of the time of this writing, the only way to really know this for sure is to watch the network connection as it's being negotiated through Wireshark or Network Monitor.

Right now, nothing exposes this data through an API, WMI class, etc.

The Get-SMBConnection Powershell cmdlet will get you this information in the future, but not today.

The cmdlet is simply a wrapper around the MSFT_SmbConnection WMI class.

Get-WmiObject -Namespace 'Root\Microsoft\Windows\SMB' MSFT_SmbConnection

Returns the exact same info. If you go read the MSDN documentation for that WMI class, you will see that the documentation lists a Signed property in addition to the Encrypted property that you see today. 

class MSFT_SmbConnection
{
  string  ServerName;
  string  ShareName;
  string  UserName;
  uint32  SmbInstance;
  string  Credential;
  uint64  NumOpens;
  string  Dialect;
  boolean ContinuouslyAvailable;
  boolean Encrypted;
  boolean EnableLoadBalanceScaleOut;
  boolean Signed;  // ^_^ *trollface*
};

The documentation then goes on to say:

Signed

Data type: Boolean

Access type: Read-only

TBD. (To be determined)

Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8: This property is not supported before Windows Server Technical Preview and Windows 10 Technical Preview.

Windows 10 preview is when it first shows up. So there you have it.

Solution 2:

For the benefit of Google, I was also struggling with discovering if my SMB Signing was actually working or not. I swear Get-SmbConnection wasn't returning 'Signed' property yesterday, but today when I run (on my Windows 10 1903 x64 machine PSVersion 5.1.18362.145):

PS C:\WINDOWS\system32> Get-SmbConnection | fl *
SmbInstance           : Default
ContinuouslyAvailable : False
Credential            : DOMAIN\user
Dialect               : 3.0.2
Encrypted             : False
NumOpens              : 1
Redirected            : False
ServerName            : server.domain
ShareName             : share
Signed                : False
UserName              : DOMAIN\user
PSComputerName        :
CimClass              : ROOT/Microsoft/Windows/SMB:MSFT_SmbConnection
CimInstanceProperties : {ContinuouslyAvailable, Credential, Dialect, Encrypted...}
CimSystemProperties   : Microsoft.Management.Infrastructure.CimSystemProperties

'Signed' is a property returned, and shows True or False.

However on my Server 2012 R2 PSVersion 5.1.14409.1018 currently does not. Colleague on Windows 10 1809 PSVersion 5.1.17763.592 also has it.

Related

When do you need a new AD forest, and when do you need a new tree?
ssh remote command execution quoting
How to temporarily open a port in ufw for a specific IP address?
Using RewriteMap Lookups in a RewriteCond . Possible?
Unable to use builtin CA bundle to verify GoDaddy SHA2 SSL certificate
Alert " Possible detection of CVE"
Matching comma seperated values in 2 different cells and display non-duplicate values in 3rd cell
ffmpeg: aphasemeter, meaning of measurement
How to open/mount a BKF file?
How does one clear dig's DNS cache on Ubuntu?
Can I enable my Realtek sound card without speakers plugged in?
Unable to install WIndows 7