This article is primarily targeted at Czech state institutions and is based on recommendations of the Czech authority. However,...
Forcing SMB encryptionLukas Beran
SMB (Server Message Block), known also as CIFS (Common Internet File System) is network communication protocol for a communication between computer nodes. Primarily is used for a data transfers in a computer network. We know it as network drives (network shares or shared folders).
Current version of this protocol is 3.1.1 and has been introduced in Windows 10 and Windows Server 2016. Data transfer encryption using AES 128 CCM was introduced in version 3.0 (Windows 8 and Windows Server 2012) and in the latest version was this encryption upgraded to AES 128 GCM which is much faster on modern CPUs.
During establishing a connection between two nodes is selected the highest version supported by both computers. For the latest version 3.1.1 is required Windows 10 or Windows Server 2016 on both sides.
Determination of the protocol version
We can determine the protocol version in elevated PowerShell using
Protocol version is available in the Dialect column.
ServerName ShareName UserName Credential Dialect NumOpens
---------- --------- -------- ---------- ------- --------
server data LUKASB\lukas MicrosoftAccount\firstname.lastname@example.org 3.1.1 1
server share LUKASB\lukas MicrosoftAccount\email@example.com 3.1.1 1
SMB data encryption
Data transfers are not encrypt by default. If you want to activate SMB encryption, which is necessary for all transfers through Internet, we need to turn it on.
First possible way is of course PowerShell. For turning encryption on for all network shares, use
Set-SmbServerConfiguration –EncryptData $true
For encryption only on selected shares, use
Set-SmbShare –Name <sharename> -EncryptData $true
Second options is GUI. Open Server Manager, choose File and Storage Services – Shares and for selected shares right click the share and select Properties and switch to Settings where is available checkbox Encrypt Data Access.
Disabling SMB version 1
If you don’t need SMB version 1, it’s highly recommended to turn it off using
Set-SmbServerConfiguration –EnableSMB1Protocol $false