Skip to content

SMB Signing

To access the beamline filesystem from Windows machines, SMB is used as the protocol. The SMB protocol supports a feature called SMB Signing, where each SMB packet receives a security signature. The security signature is generated by the sender and verified on the receiver. This allows SMB to detect any tampering of the SMB packet, e.g. to mitigate man-in-the-middle attacks.

SMB Signing has an performance overhead due to the involved security signature, which is especially visible on Window machines with >= 1Gbit/s ethernet. In the worst case, SMB Signing might limit a 10 Gbit/s link to ~1-2 Gbit/s.

Microsoft itself recommends to use SMB Encryption, if performance and security is required. The used encryption algorithm is very fast and allows saturation of a 10 Gbit/s ethernet link from Windows.

For all Windows installations at DESY, SMB Signing is enforced by a group policy in the Active Directory.

Beamline Filesystem: Deactivation of SMB Signing for DESY Installations

In order to maximize the performance of SMB for Windows machines with 10 Gbit/s Ethernet to the beamline filesystem, SMB Signing should be disabled. The following steps have to taken care of:

  • The Windows machine must have a >=10 Gbit/s link and needs fast access to the beamline filesystem
  • Move the Windows machine into the Device Container in the Active Directory
  • Send an email to windows@desy.de with the host name of the Windows machine and request, that SMB Signing should be disabled
    • A reboot is required after the change has been applied
    • If the hostname ever changes, this has to be requested again!
  • SMB Signing should be disabled and full speed to the beamline filesystem possible
    • If in doubt, please connect vis SMB to the beamline filesystem and send an email to it-asap3@desy.de with the beamline and hostname for confirmation

Core Filesystem: SMB Encryption

SMB Signing also affects the performance of the SMB export for the core filesystem. In order to enhance the performance, SMB encryption has been enabled to overcome the limitations of SMB Signing.

Access to the Core Filesystem via SMB is by default fast due to SMB Encryption and SMB Signing must not be disabled.