IRONSMITHINTEL
HIGH
|Auth: network access|Reboot: not required|Est. 10 minutes|Manual only

Require SMB Signing to Prevent NTLM Relay and Man-in-the-Middle Attacks

Without SMB signing, attackers can relay captured NTLM authentication to authenticate to other servers as the victim — requiring signing makes relayed credentials unusable.

Published May 7, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker on the network can run Responder to capture NTLM authentication and ntlmrelayx to simultaneously relay those credentials to other servers. If the relayed account has local admin rights on the target, the attacker gains immediate code execution. This is one of the most effective lateral movement techniques in Windows environments and is extensively used by both penetration testers and real attackers.

How the attack works

SMB signing cryptographically signs SMB communications to prevent tampering and replay attacks. Without it, an attacker using tools like Responder, ntlmrelayx, or Impacket can intercept NTLM authentication attempts and relay them to authenticate to other servers in real time. This technique bypasses password knowledge entirely — the attacker never needs to know the password.

Am I affected?Quick check

Probably yes if any of these apply:

All Windows Servers
Domain Controllers
File Servers
Any server accepting SMB connections
Running SMB signing not required (RequireSecuritySignature = 0)

Affected OS versions

Windows Server 2016Windows Server 2019Windows Server 2022
Fixed inSMB signing required (RequireSecuritySignature = 1)
Real-world incidentsWhat we've seen

SMB relay is listed as a finding in the vast majority of internal penetration test reports for Windows environments. A penetration tester on a standard workstation can compromise a Domain Controller within an hour using only Responder and ntlmrelayx in an environment where SMB signing is not required.

How to patch

Manual remediation steps

10 minutes

Check Current SMB Signing Status

Get-SmbServerConfiguration | Select-Object RequireSecuritySignature, EnableSecuritySignature

Require SMB Signing on Server

Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
Set-SmbClientConfiguration -RequireSecuritySignature $true -Force

Verification

Get-SmbServerConfiguration | Select-Object RequireSecuritySignature
# Must return RequireSecuritySignature = True
Get-SmbClientConfiguration | Select-Object RequireSecuritySignature
# Must return RequireSecuritySignature = True

Group Policy Deployment

Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options:

    1
    "Microsoft network server: Digitally sign communications (always)" → Enabled
    1
    "Microsoft network client: Digitally sign communications (always)" → Enabled
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.