How to determine if a SMB Client has established a Signed SMB communication from the Windows Server 2012

network-shareserver-message-blockwindows-server-2012

Is there a way to find from my Windows 2012 Server if the client has established a signed communication ?

Net Session gives the basic details but does not say anything about signing.

C:\>net session \\a.b.c.d
User name       Administrator
Computer        a.b.c.d
Guest logon     No
Client type
Sess time       00:08:02
Idle time       00:07:50

Share name     Type     # Opens

--------------------------------------
test           Disk     0
The command completed successfully.

Is there any Powershell cmdlet or any administrative tool or command that would provide with such information ? Thanks in advance.

Edit 1:
I also tried the following. Get-SmbConnection should be executed on the client to find the Servers to which the client has establish connections.

PS C:\Users\Administrator> Get-SmbConnection | Select-Object -Property *
ContinuouslyAvailable : False
Credential            : domain\administrator
Dialect               : 3.00
Encrypted             : False
NumOpens              : 3
ServerName            : server1
ShareName             : test
UserName              : SERVER1\Administrator
PSComputerName        :
CimClass              : ROOT/Microsoft/Windows/SMB:MSFT_SmbConnection
CimInstanceProperties : {ContinuouslyAvailable, Credential, Dialect, Encrypted...}
CimSystemProperties   : Microsoft.Management.Infrastructure.CimSystemProperties

Best Answer

As of the time of this writing, the only way to really know this for sure is to watch the network connection as it's being negotiated through Wireshark or Network Monitor.

Right now, nothing exposes this data through an API, WMI class, etc.

The Get-SMBConnection Powershell cmdlet will get you this information in the future, but not today.

The cmdlet is simply a wrapper around the MSFT_SmbConnection WMI class.

Get-WmiObject -Namespace 'Root\Microsoft\Windows\SMB' MSFT_SmbConnection

Returns the exact same info. If you go read the MSDN documentation for that WMI class, you will see that the documentation lists a Signed property in addition to the Encrypted property that you see today. 

class MSFT_SmbConnection
{
  string  ServerName;
  string  ShareName;
  string  UserName;
  uint32  SmbInstance;
  string  Credential;
  uint64  NumOpens;
  string  Dialect;
  boolean ContinuouslyAvailable;
  boolean Encrypted;
  boolean EnableLoadBalanceScaleOut;
  boolean Signed;  // ^_^ *trollface*
};

The documentation then goes on to say:

Signed

Data type: Boolean

Access type: Read-only

TBD. (To be determined)

Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8: This property is not supported before Windows Server Technical Preview and Windows 10 Technical Preview.

Windows 10 preview is when it first shows up. So there you have it.

Related Topic