Our security team performs a scan on a Windows 7 client and I get a level three threat on SMB signing. I have tried two different aprroaches to address:
1) Force Signing required
2) SMB disabled altogether
The risk remains in each subsequent scan. Is there something else I should try?
Here is what I've tried to date:
sc.exe configlanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc.exe config mrxsmb20 start= disabled
To require SMB signing:
Use gpedit.msc, thennavigate to:
- Computer Configuration
- Windows Settings
- Security Settings
- Local Policies
Search within the right pane for:
"Microsoft network client: Digially sign communications (always)"
> Set this to enabled
"Microsoft network client: Digially sign communications (if server agrees)"
> Set this to disabled (or not configured)
SMB Signing Disabled or SMB Signing Not Required (1)
QID: 90043 CVSS Base: 7.3 
Category: Windows CVSS Temporal: 6.3
CVE ID: -
Vendor Reference: -
Bugtraq ID: -
Service Modified: 08/30/2012
User Modified: -
PCI Vuln: Yes
This host does not seem to be using SMB (Server Message Block) signing. SMB signing is a security mechanism in the SMB protocol and is
also known as security signatures. SMB signing is designed to help improve the security of the SMB protocol.