SMB Signing Security Scanner Findings

Security Resources and Certifications

Audience
Public
Source Type
Documentation

Summary

Security scanners such as Tenable or Qualys may flag FlashArray or FlashBlade systems for SMB Signing Not Required.

Response

FlashArray and FlashBlade products set SMB signing to optional by default. This provides our customers with flexibility and optimized performance, balancing security needs with system efficiency based on their unique environments.

For customers seeking enhanced security, SMB signing can be enforced through Active Directory (AD) Policies. If a client requests signing, both FlashArray and FlashBlade will enforce signing of all requests. This allows customers flexibility to use their corporate policies in Active Directory to enforce signing within their environment for client devices. We encourage customers to review their security policies and enable client-side SMB signing where it aligns with their organization’s best practices.

FlashArray also supports enforcing SMB3 encryption for clients, which inherently includes signing as part of the encryption process. It is possible to enforce SMB signing on FlashArray, however, this will require a case with Everpure Technical Services.

FlashBlade Purity 4.3.x and later provide customers the ability to enforce SMB3 encryption, adding data confidentiality alongside message integrity.

Note: Some security scanners may continue to flag this issue even when SMB encryption is enabled for all clients. This can occur due to differences in how scanners detect protocol message signatures when signing or encryption is in use. In such cases, the result is considered a false positive, as SMB encryption inherently includes signing