<div data-wrapper="true" dir="ltr" style="font-size:9pt;font-family:'Segoe UI','Helvetica Neue',sans-serif;"><div style="direction:ltr"><div><br>Hi Jones,</div>
<div>I have finished my investigation on this. Windows will always sign the IOCTL <span style="-webkit-text-stroke-width:0px; background-color:#ffffff; color:#2a2a2a; display:inline !important; float:none; font-family:"Segoe UI",SegoeUI,"Helvetica Neue",Helvetica,Arial,sans-serif; font-size:14px; font-style:normal; font-variant-caps:normal; font-variant-ligatures:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:left; text-decoration-color:initial; text-decoration-style:initial; text-decoration-thickness:initial; text-indent:0px; text-transform:none; white-space:normal; widows:2; word-spacing:0px">FSCTL_QUERY_NETWORK_INTERFACE_INFO request.</span></div>
<div><span style="-webkit-text-stroke-width:0px; background-color:#ffffff; color:#2a2a2a; display:inline !important; float:none; font-family:"Segoe UI",SegoeUI,"Helvetica Neue",Helvetica,Arial,sans-serif; font-size:14px; font-style:normal; font-variant-caps:normal; font-variant-ligatures:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:left; text-decoration-color:initial; text-decoration-style:initial; text-decoration-thickness:initial; text-indent:0px; text-transform:none; white-space:normal; widows:2; word-spacing:0px">Another request that is always signed is tree connect.</span></div>
<div> </div>
<div><span style="-webkit-text-stroke-width:0px; background-color:#ffffff; color:#2a2a2a; display:inline !important; float:none; font-family:"Segoe UI",SegoeUI,"Helvetica Neue",Helvetica,Arial,sans-serif; font-size:14px; font-style:normal; font-variant-caps:normal; font-variant-ligatures:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:left; text-decoration-color:initial; text-decoration-style:initial; text-decoration-thickness:initial; text-indent:0px; text-transform:none; white-space:normal; widows:2; word-spacing:0px">I have filed a bug to fix this issue in the documentation.</span></div>
<div> </div>
<div><span style="-webkit-text-stroke-width:0px; background-color:#ffffff; color:#2a2a2a; display:inline !important; float:none; font-family:"Segoe UI",SegoeUI,"Helvetica Neue",Helvetica,Arial,sans-serif; font-size:14px; font-style:normal; font-variant-caps:normal; font-variant-ligatures:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:left; text-decoration-color:initial; text-decoration-style:initial; text-decoration-thickness:initial; text-indent:0px; text-transform:none; white-space:normal; widows:2; word-spacing:0px">Please let me know if this does not answer your question.</span></div>
<div> </div>
<div><span style="-webkit-text-stroke-width:0px; background-color:#ffffff; color:#2a2a2a; display:inline !important; float:none; font-family:"Segoe UI",SegoeUI,"Helvetica Neue",Helvetica,Arial,sans-serif; font-size:14px; font-style:normal; font-variant-caps:normal; font-variant-ligatures:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:left; text-decoration-color:initial; text-decoration-style:initial; text-decoration-thickness:initial; text-indent:0px; text-transform:none; white-space:normal; widows:2; word-spacing:0px">Regards,</span></div>
<div><span style="-webkit-text-stroke-width:0px; background-color:#ffffff; color:#2a2a2a; display:inline !important; float:none; font-family:"Segoe UI",SegoeUI,"Helvetica Neue",Helvetica,Arial,sans-serif; font-size:14px; font-style:normal; font-variant-caps:normal; font-variant-ligatures:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:left; text-decoration-color:initial; text-decoration-style:initial; text-decoration-thickness:initial; text-indent:0px; text-transform:none; white-space:normal; widows:2; word-spacing:0px">Obaid Farooqi</span></div>
<div><span style="-webkit-text-stroke-width:0px; background-color:#ffffff; color:#2a2a2a; display:inline !important; float:none; font-family:"Segoe UI",SegoeUI,"Helvetica Neue",Helvetica,Arial,sans-serif; font-size:14px; font-style:normal; font-variant-caps:normal; font-variant-ligatures:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:left; text-decoration-color:initial; text-decoration-style:initial; text-decoration-thickness:initial; text-indent:0px; text-transform:none; white-space:normal; widows:2; word-spacing:0px">Escalation Engineer | Microsoft</span></div>
<div id="newsignature" style="display:none"> </div>
<div dir="ltr" id="replyfwdmessage"><span style="font-family:Tahoma,Verdana,Arial; font-size:small">------------------- Original Message -------------------<br><strong>From:</strong> Kristian.Smith@microsoft.com;<br><strong>Received:</strong> Tue Jun 11 2024 18:55:59 GMT-0500 (Central Daylight Time)<br><strong>To:</strong> jonessyue@qnap.com; cifs-protocol@lists.samba.org;<br><strong>Cc:</strong> supportmail@microsoft.com;<br><strong>Subject:</strong> RE: [MS-SMB2] Selective Signing of ioctl FSCTL_... - TrackingID#2406060040007612</span><br><br><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div dir="ltr"><pre>Hi Jones,
I've been looking into the concerns that you outlined in your last email and it does appear that there is an inconsistency in the way the client signs most other requests. I was able to repro a trace where many SMB 3.x requests are unsigned (including FSCTL_DFS_GET_REFERRALS as you've shown). I am conducting some debugging to determine where these decisions are occurring in the code. Once I've come to a conclusion, I'll reach out with my findings.
Thanks for your patience.
Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Office phone: +1 425-421-4442
Email: kristian.smith@microsoft.com
-----Original Message-----
From: Jones Syue 薛懷宗
Sent: Friday, June 7, 2024 1:45 AM
To: Kristian Smith ; cifs-protocol@lists.samba.org
Cc: Microsoft Support
Subject: [EXTERNAL] Re: [MS-SMB2] Selective Signing of ioctl FSCTL_QUERY_NETWORK_INTERFACE_INFO requests - TrackingID#2406060040007612
> Thanks for digging in further and I can assure you that I appreciate
> the bluntness. Just to clarify, is your concern that 3.2.4.1.1 signing
> conditions do not cover all conditions where Windows signs the
> FSCTL_QUERY_NETWORK_INTERFACE_INFO request? If so, what condition is
> not covered?
> Or, is the concern that " Windows-based clients do not selectively
> sign requests" from behavior note 104 should be more specific to say "
> Windows-based clients do not selectively sign requests beyond what is
> described in this document"?
Thank you Kristian for kind feedback!
Let me take earilier thread with wireshark captures as an example, it is Windows-based env (ws2022 oprerates as server, ws2016 operates as client), through wireshark packet captures there are two ioctl requests with two CtlCode FSCTL_QUERY_NETWORK_INTERFACE_INFO and FSCTL_DFS_GET_REFERRALS, Windows-base client seems to be biased to sign the former one, and the latter one is not signed:
1. No. 35478 signature is none zeros, means Windows-based client signs
this Ioctl FSCTL_QUERY_NETWORK_INTERFACE_INFO request.
2. No. 35480 signature is all zeros, means Windows-based client does not
sign this Ioctl FSCTL_DFS_GET_REFERRALS request.
Per my test with different Windows-based clients, including ws2012/ws2012r2/ws2016/ws2019/ws2022, it looks like Windows-based clients always sign the Ioctl FSCTL_QUERY_NETWORK_INTERFACE_INFO request, this behavior looks good to me.
However my concern is this behavior is not explicitly mentioned in [MS-SMB2] so it is a not clear to me, and i am looking forward to having this behavior document in [MS-SMB2] :)
Consider the No. 35476, Windows-based client signs Tree Connect request, this behavior is explicitly documented in [MS-SMB2] so this looks clear to me[1][2], so i am expecting something like 'client MUST sign Ioctl FSCTL_QUERY_NETWORK_INTERFACE_INFO request' could be mentioned in [MS-SMB2] too.
No. |Time |Prot|Signature |Info
-----+----------+----+--------------------------------+----
35467 16:47:09.9 SMB Negotiate Protocol Request
35468 16:47:09.9 SMB2 00000000000000000000000000000000 Negotiate Protocol Response
35469 16:47:09.9 SMB2 00000000000000000000000000000000 Negotiate Protocol Request
35470 16:47:09.9 SMB2 00000000000000000000000000000000 Negotiate Protocol Response
35472 16:47:09.9 SMB2 00000000000000000000000000000000 Session Setup Request, NTLMSSP_NEGOTIATE
35473 16:47:09.9 SMB2 00000000000000000000000000000000 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
35474 16:47:09.9 SMB2 00000000000000000000000000000000 Session Setup Request, NTLMSSP_AUTH, User: \administrator
35475 16:47:09.9 SMB2 73182d37759c7741ae0caced9ef04185 Session Setup Response
35476 16:47:09.9 SMB2 ec1d8a66ebea6120e5f8c44be2ba0dc4 Tree Connect Request Tree: \\${MY_IP}\IPC$
35477 16:47:09.9 SMB2 ad4572986b7fae36168ea18c87bb8a9b Tree Connect Response
35478 16:47:09.9 SMB2 d31c1cb4e3ca5df3766faf76a3b6da8a Ioctl Request FSCTL_QUERY_NETWORK_INTERFACE_INFO
35479 16:47:09.9 SMB2 790b171573367693323aa73ddf4de49f Ioctl Response FSCTL_QUERY_NETWORK_INTERFACE_INFO
35480 16:47:09.9 SMB2 00000000000000000000000000000000 Ioctl Request FSCTL_DFS_GET_REFERRALS, File: \${MY_IP}\ramdisk
35482 16:47:09.9 SMB2 00000000000000000000000000000000 Ioctl Response, Error: STATUS_FS_DRIVER_REQUIRED
[1] 3.2.4.1.1 Signing the Message
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-smb2%2F973630a8-8aa1-4398-89a8-13cf830f194d&data=05%7C02%7Csupportmail2%40microsoft.com%7C8b984430095e468bfcdd08dc8a7207f3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638537469566848337%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=7n6N%2BYrIFrnf%2FA5zGk2sg7bY7TSR0EYXCNgGF3eCBII%3D&reserved=0
[2] 3.3.5.7 Receiving an SMB2 TREE_CONNECT Request
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-smb2%2F652e0c14-5014-4470-999d-b174d7b2da87&data=05%7C02%7Csupportmail2%40microsoft.com%7C8b984430095e468bfcdd08dc8a7207f3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638537469566857101%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ghuteoIoB4io%2BWzbcooIehb%2FeJY3YI1y0FhD6TyXt0Q%3D&reserved=0
If Connection.Dialect is "3.1.1" and Session.IsAnonymous and Session.IsGuest are set to FALSE and the request is not signed or not encrypted, then the server MUST disconnect the connection.
--
Regards,
Jones Syue | 薛懷宗
QNAP Systems, Inc.
</pre></div></div></div></div>