How to determine if a SMB Client has established a Signed SMB communication from my Windows Server 2012?

Question

Is there a way to find from my Windows 2012 Server if the client has established a signed communication ?

Net Session gives the basic details but does not say anything about signing.

C:\>net session \\a.b.c.d
User name       Administrator
Computer        a.b.c.d
Guest logon     No
Client type
Sess time       00:08:02
Idle time       00:07:50

Share name     Type     # Opens

--------------------------------------
test           Disk     0
The command completed successfully.

Is there any Powershell cmdlet or any administrative tool or command that would provide with such information ? Thanks in advance.

Edit 1: I also tried the following. Get-SmbConnection should be executed on the client to find the Servers to which the client has establish connections.

PS C:\Users\Administrator> Get-SmbConnection | Select-Object -Property *
ContinuouslyAvailable : False
Credential            : domain\administrator
Dialect               : 3.00
Encrypted             : False
NumOpens              : 3
ServerName            : server1
ShareName             : test
UserName              : SERVER1\Administrator
PSComputerName        :
CimClass              : ROOT/Microsoft/Windows/SMB:MSFT_SmbConnection
CimInstanceProperties : {ContinuouslyAvailable, Credential, Dialect, Encrypted...}
CimSystemProperties   : Microsoft.Management.Infrastructure.CimSystemProperties

Answer 1

As of the time of this writing, the only way to really know this for sure is to watch the network connection as it's being negotiated through Wireshark or Network Monitor.

Right now, nothing exposes this data through an API, WMI class, etc.

The Get-SMBConnection Powershell cmdlet will get you this information in the future, but not today.

The cmdlet is simply a wrapper around the MSFT_SmbConnection WMI class.

Get-WmiObject -Namespace 'Root\Microsoft\Windows\SMB' MSFT_SmbConnection

Returns the exact same info. If you go read the MSDN documentation for that WMI class, you will see that the documentation lists a Signed property in addition to the Encrypted property that you see today.

class MSFT_SmbConnection
{
  string  ServerName;
  string  ShareName;
  string  UserName;
  uint32  SmbInstance;
  string  Credential;
  uint64  NumOpens;
  string  Dialect;
  boolean ContinuouslyAvailable;
  boolean Encrypted;
  boolean EnableLoadBalanceScaleOut;
  boolean Signed;  // ^_^ *trollface*
};

The documentation then goes on to say:

Signed

Data type: Boolean

Access type: Read-only

TBD. (To be determined)

Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8: This property is not supported before Windows Server Technical Preview and Windows 10 Technical Preview.

Windows 10 preview is when it first shows up. So there you have it.

Answer 2

For the benefit of Google, I was also struggling with discovering if my SMB Signing was actually working or not. I swear Get-SmbConnection wasn't returning 'Signed' property yesterday, but today when I run (on my Windows 10 1903 x64 machine PSVersion 5.1.18362.145):

PS C:\WINDOWS\system32> Get-SmbConnection | fl *
SmbInstance           : Default
ContinuouslyAvailable : False
Credential            : DOMAIN\user
Dialect               : 3.0.2
Encrypted             : False
NumOpens              : 1
Redirected            : False
ServerName            : server.domain
ShareName             : share
Signed                : False
UserName              : DOMAIN\user
PSComputerName        :
CimClass              : ROOT/Microsoft/Windows/SMB:MSFT_SmbConnection
CimInstanceProperties : {ContinuouslyAvailable, Credential, Dialect, Encrypted...}
CimSystemProperties   : Microsoft.Management.Infrastructure.CimSystemProperties

'Signed' is a property returned, and shows True or False.

However on my Server 2012 R2 PSVersion 5.1.14409.1018 currently does not. Colleague on Windows 10 1809 PSVersion 5.1.17763.592 also has it.