Performance Hit
SMB signing adds cryptographic overhead (every SMB packet must be signed and verified).
File transfers, logon scripts, and Group Policy processing can slow down, especially on older hardware or busy file servers.
High-latency WAN links feel the impact more.
Compatibility Issues
Older devices (legacy printers, NAS boxes, appliances) may not support SMB signing.
If you enforce “Require SMB Signing,” those devices will fail to connect.
Increased CPU Usage
The server and client both use extra CPU cycles for signing traffic. On modern CPUs this is usually negligible, but on heavily loaded DCs or file servers it can matter.
Troubleshooting Complexity
Some third-party apps that use SMB might break if they don’t support signing.
Harder to quickly rule out SMB signing as a cause of “slow logons” or “file copy slowness.”
Not Encryption
Important to note: SMB signing doesn’t encrypt traffic—it just validates it. Your traffic can still be intercepted/read in plaintext unless SMB encryption (SMB 3.x) or IPsec is enabled.
Use NMAP to see if SMB Signing is enabled
nmap -p 139,445 --script smb2-security-mode <target IP>
Use Group Policy to enable SMB Signing for all Windows devices
<!-- Open Group Policy > Create New Group OU and enforce it-->
Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options
Microsoft network client: Digital sign communications (always): Enable
Microsoft network client: Digital sign communications (if server agrees): Enable
Microsoft network server: Digital sign communications (always): Enable
Microsoft network server: Digital sign communications (if server agrees): Enable
<!-- Once enabled, run the NMAP command again - It should show -->
Message signing enabled and required