Original publish date: September 9, 2025KB ID: 5066913
Summary
The SMB Server already supports two mechanisms for hardening against relay attacks:
-
SMB Server signing
-
SMB Server Extended Protection for Authentication (EPA)
In some customer environments, enforcing either of these hardening mechanisms poses compatibility risks as some legacy systems and third-party implementations may not support SMB Server signing or SMB Server EPA.
As part of the Windows updates released on and after September 9, 2025 (CVE-2025-55234), support is enabled for auditing SMB client compatibility for SMB Server signing as well as SMB Server EPA. This allows customers to assess their environment and identify any potential device or software incompatibility issues before deploying the hardening measures that are already supported by SMB Server.
Background
SMB Server might be susceptible to relay attacks depending on the configuration. To prevent this vulnerability, Microsoft released the following mitigations:
SMB Server EPA
SMB Server signing
Customers must either configure SMB Server to require SMB Server signing or enable SMB Server EPA to harden their systems against this class of attack.
SMB server with encryption enabled globally along with not allowing unencrypted access, is also protected against relay attacks. For more information, see SMB Security Enhancements.
Enabling Audit support for SMB Server signing
By default, auditing for SMB Server signing is disabled. This can be enabled for both SMBv1 server and SMB2/3 server through Group Policy or registry setting.
Group Policy
|
Policy location |
Computer Configuration\Administrative Templates\Network\Lanman Server |
|
Policy name |
Audit client does not support signing |
|
Policy states |
|
Registry
|
Registry location |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters |
|
Value |
AuditClientSpnSupport |
|
Type |
REG_DWORD |
|
Data |
|
SMB Server signing Audit events
|
Event Log |
Microsoft-Windows-SMBServer/Audit |
|
Event Type |
Warning |
|
Event Source |
Microsoft-Windows-SMBServer |
|
Event ID |
3021 |
|
Event Text |
The SMB server observed that the client doesn't support signing. Client name: <> User name: <> Server requires signing: <> |
|
Event Log |
Microsoft-Windows-SMBServer/Audit |
|
Event Type |
Warning |
|
Event Source |
Microsoft-Windows-SMBServer |
|
Event ID |
3027 |
|
Event Text |
The SMBv1 server observed that the SMBv1 client does not have signing enabled. Client name: <> Server requires signing: <> |
Guidance: This event indicates that the SMBv1 client may not support Enabling Audit Support for SMB signing, but due to protocol limitations, this cannot be determined with certainty. Further evaluation is recommended to verify the client's signing capabilities.
Before Windows Vista, SMBv1 clients that did not have signing explicitly enabled could not perform Enabling Audit Support for SMB signing.
This behavior was changed with the release of Windows Vista and was also backported to Windows XP and Windows Server 2003 through updates. With these changes, SMB clients may support signing even if it is not explicitly enabled, provided the server requires it.
Notes
-
Clients that correctly implement signing but do not advertise such support will result in false positives.
-
Clients that advertise support for signing but do not correctly implement support will result in false negatives.
Enabling Audit support for SMB Server EPA
By default, auditing for SMB Server EPA is disabled. This can be enabled for both SMBv1 server and SMB2/3 server through Group Policy or registry setting.
Group Policy
|
Policy location |
Computer Configuration\Administrative Templates\Network\Lanman Server |
|
Policy name |
Audit SMB client SPN support |
|
Policy states |
|
Registry
|
Registry location |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters |
|
Value |
AuditClientSpnSupport |
|
Type |
REG_DWORD |
|
Data |
|
SMB Server EPA Audit events
|
Event Log |
Microsoft-Windows-SMBServer/Audit |
|
Event Type |
Warning |
|
Event Source |
Microsoft-Windows-SMBServer |
|
Event ID |
3024 |
|
Event Text |
The SMB server observed that the client did not send an SPN during authentication, indicating that the client does not support Extended Protection for Authentication (EPA) or that support for EPA is disabled. Client name: <> SPN Query Status: <> Enable Extended Protection for Authentication Policy: <> |
|
Event Log |
Microsoft-Windows-SMBServer/Audit |
|
Event Type |
Warning |
|
Event Source |
Microsoft-Windows-SMBServer |
|
Event ID |
3025 |
|
Event Text |
The SMB server observed that the client sent an unrecognized SPN during authentication. Client name: <> SPN: <> Enable Extended Protection for Authentication Policy: <> |
|
Event Log |
Microsoft-Windows-SMBServer/Audit |
|
Event Type |
Warning |
|
Event Source |
Microsoft-Windows-SMBServer |
|
Event ID |
3026 |
|
Event Text |
The SMB server observed that the client sent an empty SPN during authentication, which indicates the client is capable of sending an SPN but elected not to supply one. Client name: <> Enable Extended Protection for Authentication Policy: <> |
