Support for Audit Events to deploy SMB Server Hardening—SMB Server Signing & SMB Server EPA

应用对象
Windows Server 2008 Premium Assurance Windows Server 2008 R2 Premium Assurance Windows 10 Windows 10, version 1607, all editions Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 IoT Core LTSC Windows 10 Enterprise LTSC 2021 Windows 10 IoT Enterprise LTSC 2021 Windows 10, version 22H2, all editions Windows 11 Home and Pro, version 21H2 Windows 11 Enterprise Multi-Session, version 21H2 Windows 11 Enterprise and Education, version 21H2 Windows 11 IoT Enterprise, version 21H2 Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2 Windows 11 SE, version 23H2 Windows 11 Home and Pro, version 23H2 Windows 11 Enterprise and Education, version 23H2 Windows 11 Enterprise Multi-Session, version 23H2 Windows 11 SE, version 24H2 Windows 11 Enterprise and Education, version 24H2 Windows 11 Enterprise Multi-Session, version 24H2 Windows 11 Home and Pro, version 24H2 Windows 11 IoT Enterprise, version 24H2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 Windows Server, version 23H2 Windows Server 2025

Note

Original publish date: September 9, 2025
KB ID: 5066913

Change log
Change date Change description
December 26, 2025
  • Corrected the registry value name from AuditClientSpnSupport to AuditClientDoesNotSupportSigning in the "Enabling Audit support for SMB Server signing" section.

Summary

The SMB Server already supports two mechanisms for hardening against relay attacks:

  • SMB Server signing
  • SMB Server Extended Protection for Authentication (EPA)

In some customer environments, enforcing either of these hardening mechanisms poses compatibility risks as some legacy systems and third-party implementations may not support SMB Server signing or SMB Server EPA.

As part of the Windows updates released on and after September 9, 2025 (CVE-2025-55234), support is enabled for auditing SMB client compatibility for SMB Server signing as well as SMB Server EPA. This allows customers to assess their environment and identify any potential device or software incompatibility issues before deploying the hardening measures that are already supported by SMB Server.

Background

SMB Server might be susceptible to relay attacks depending on the configuration. To prevent this vulnerability, Microsoft released the following mitigations:

SMB Server EPA

SMB Server signing

Customers must either configure SMB Server to require SMB Server signing or enable SMB Server EPA to harden their systems against this class of attack.

SMB server with encryption enabled globally along with not allowing unencrypted access, is also protected against relay attacks. For more information, see SMB Security Enhancements.

Enabling Audit support for SMB Server signing

By default, auditing for SMB Server signing is disabled. This can be enabled for both SMBv1 server and SMB2/3 server through Group Policy or registry setting.

Group Policy

Policy location Computer Configuration\Administrative Templates\Network\Lanman Server
Policy name Audit client does not support signing
Policy states
  • Disabled – Disable Auditing
  • Enabled – Enable Auditing
  • Not Configured (default) – Follow registry configuration

Registry

Registry location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Value AuditClientDoesNotSupportSigning
Type REG_DWORD
Data
  • 0 (default) – Disable Auditing
  • 1 – Enable Auditing

SMB Server signing Audit events

Event ID: 3021 (SMB2 / SMB3)
Event Log Microsoft-Windows-SMBServer/Audit
Event Type Warning
Event Source Microsoft-Windows-SMBServer
Event ID 3021
Event Text The SMB server observed that the client doesn't support signing.
Client name: <>
User name: <>
Server requires signing: <>
Event ID: 3027 (SMB1)
Event Log Microsoft-Windows-SMBServer/Audit
Event Type Warning
Event Source Microsoft-Windows-SMBServer
Event ID 3027
Event Text The SMBv1 server observed that the SMBv1 client does not have signing enabled.
Client name: <>
Server requires signing: <>

Guidance: This event indicates that the SMBv1 client may not support Enabling Audit Support for SMB signing, but due to protocol limitations, this cannot be determined with certainty. Further evaluation is recommended to verify the client's signing capabilities.

Before Windows Vista, SMBv1 clients that did not have signing explicitly enabled could not perform Enabling Audit Support for SMB signing.

This behavior was changed with the release of Windows Vista and was also backported to Windows XP and Windows Server 2003 through updates. With these changes, SMB clients may support signing even if it is not explicitly enabled, provided the server requires it.

Notes

  • Clients that correctly implement signing but do not advertise such support will result in false positives.
  • Clients that advertise support for signing but do not correctly implement support will result in false negatives.

Enabling Audit support for SMB Server EPA

By default, auditing for SMB Server EPA is disabled. This can be enabled for both SMBv1 server and SMB2/3 server through Group Policy or registry setting.

Group Policy

Policy location Computer Configuration\Administrative Templates\Network\Lanman Server
Policy name Audit SMB client SPN support
Policy states
  • Disabled – Disable Auditing
  • Enabled – Enable Auditing
  • Not Configured (default) – Follow registry configuration

Registry

Registry location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Value AuditClientSpnSupport
Type REG_DWORD
Data
  • 0 (default) – Disable SPN Auditing
  • 1 – Enable SPN Auditing

SMB Server EPA Audit events

Event ID: 3024
Event Log Microsoft-Windows-SMBServer/Audit
Event Type Warning
Event Source Microsoft-Windows-SMBServer
Event ID 3024
Event Text The SMB server observed that the client did not send an SPN during authentication, indicating that the client does not support Extended Protection for Authentication (EPA) or that support for EPA is disabled.
Client name: <>
SPN Query Status: <>
Enable Extended Protection for Authentication Policy: <>
Event ID: 3025
Event Log Microsoft-Windows-SMBServer/Audit
Event Type Warning
Event Source Microsoft-Windows-SMBServer
Event ID 3025
Event Text The SMB server observed that the client sent an unrecognized SPN during authentication.
Client name: <>
SPN: <>
Enable Extended Protection for Authentication Policy: <>
Event ID: 3026
Event Log Microsoft-Windows-SMBServer/Audit
Event Type Warning
Event Source Microsoft-Windows-SMBServer
Event ID 3026
Event Text The SMB server observed that the client sent an empty SPN during authentication, which indicates the client is capable of sending an SPN but elected not to supply one.
Client name: <>
Enable Extended Protection for Authentication Policy: <>