Network Access: Microsoft network Server: Digitally sign communications (always) must be configured to Enabled


The server message block (SMB) protocol provides the basis for many network operations. Digitally signed SMB packets aid in preventing man-in-the-middle attacks. If this policy is enabled, the SMB server will only communicate with an SMB client that performs SMB packet signing


To fix this configure the policy value for:
Computer Configuration
|_ Windows Settings
|_ Security Settings
|_ Local Policies
|_ Security Options
|_ Microsoft network server: Digitally sign communications (always) to "Enabled".

STIG: Server 2019:
Server 2016:

More information on this option:

NIST 800-53: SC-12(2),SC-12(3),SC-13
NIST 800-171 Rev2: 3.13.11
NIST 800-171A: 3.8.6, 3.13.11
CMMC v2.0 Mapping v1.02: SC.3.177
CMMC V2.0 Level 2: SC.L2-3.13.11
CMMC v2.0 Level 3: SC.L2-3.13.11, TBD - 3.14.1e
CSA CMM v4: CEK-01, CEK-02, CEK-03, CEK-04, DSP-10, LOG-10, LOG-11
PCI DSS 3.2: 2.2.3, 4.1
PCI DSS 4.0: 3.3.2, 8.3.2, 12.3.3
SIG: D.7.5.1
STIG: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188

NOTE: Modifying this setting may affect compatibility with clients that does not support SMBv2, like old OS Windows XP or outdated windows 7