On September 9, 2025, Microsoft released details of CVE-2025-55234, a critical vulnerability in the Windows Server Message Block (SMB) protocol. With a CVSS v3 score of 8.8, it’s classified as High severity and poses a serious elevation-of-privilege (EoP) risk. An attacker exploiting this flaw could launch a relay attack, allowing them to gain the privileges of a legitimate user without elevated permissions or insider access.
Windows Server Hardening Made Simple
As part of its response, Microsoft released a special patch that enables auditing via registry edits. These settings generate an audit trail of event IDs linked to SMB clients that fail to meet Microsoft’s hardening recommendations specifically for SMB server signing and Extended Protection for Authentication (EPA).
Microsoft’s Response: Audit Tools + Hardening
Admins can enable auditing through Group Policy or registry settings to flag non-compliant SMB clients.
Signing Audit:
o GPO:
Computer Configuration → Administrative Templates → Network → Lanman Server → Audit client does not support signing
o Registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AuditClientSpnSupport = 1
EPA Audit:
o GPO:
Computer Configuration → Administrative Templates → Network → Lanman Server → Audit SMB client SPN support
o Registry:
Same key as above, with the value set to 1
Event IDs You’ll See:
| Audit Type | Event IDs | What It Means |
|---|---|---|
| SMB 2/3 Signing | 3021 | Client doesn’t support signing |
| SMB 1 Signing | 3027 | SMBv1 client doesn’t support signing |
| EPA | 3024 | No SPN sent |
| 3025 | Unrecognized SPN | |
| 3026 | Empty SPN |
Hardening Without Breaking Things
This Patch Tuesday marks a shift in Microsoft’s approach—encouraging IT teams to implement strict hardening measures, not just apply patches.
Enforcing “Digitally sign communications” is a recommended control, but implementation requires a clear understanding of how it impacts the server environment.
CalCom’s Learning Mode analyzes existing traffic, maps dependencies, and shows how enabling signing will affect client-server interactions.
While Microsoft’s new audit capabilities offer much-needed visibility, enforcing settings consistently at scale—across thousands of servers—requires automation. CalCom CHS delivers this, enabling secure SMB hardening without breaking critical services.
What to Do Next
- Apply Microsoft’s patch.
- Enable SMB audit logging via GPO or registry.
- Review Event IDs to identify non-compliant clients.
- Use tools like CalCom CHS to test and deploy hardening policies at scale — without risking downtime.
Need help evaluating the impact of SMB hardening? Talk to our team.
