SMB security enhancements (2024)

Table of Contents
In this article SMB Encryption Enable SMB Encryption Enable SMB Encryption with Windows Admin Center Enable SMB Encryption with UNC Hardening Enable SMB Encryption with Windows PowerShell Map drives with encryption Considerations for deploying SMB Encryption Preauthentication integrity New signing algorithm Disabling SMB 1.0 FAQs
  • Article

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Azure Stack HCI version 21H2, Windows 11, Windows 10

This article explains the SMB security enhancements in Windows Server and Windows.

SMB Encryption

SMB Encryption provides SMB data end-to-end encryption and protects data from eavesdropping occurrences on untrusted networks. You can deploy SMB Encryption with minimal effort, but it might require other costs for specialized hardware or software. It has no requirements for Internet Protocol security (IPsec) or WAN accelerators. SMB Encryption can be configured on a per share basis, for the entire file server, or when mapping drives.

Note

SMB Encryption does not cover security at rest, which is typically handled by BitLocker Drive Encryption.

You can consider SMB Encryption for any scenario in which sensitive data needs to be protected from interception attacks. Possible scenarios include:

See Also
SMB Most Important Features | Visuality Systems[MS-SMB2]: OverviewSuper Mario Bros. 2Packet Carving with SMB and SMB2 | Chris Sanders

  • You move an information worker’s sensitive data by using the SMB protocol. SMB Encryption offers an end-to-end privacy and integrity assurance between the file server and the client. It provides this security regardless of the networks traversed, such as wide area network (WAN) connections maintained by non-Microsoft providers.
  • SMB 3.0 enables file servers to provide continuously available storage for server applications, such as SQL Server or Hyper-V. Enabling SMB Encryption provides an opportunity to protect that information from snooping attacks. SMB Encryption is simpler to use than the dedicated hardware solutions that are required for most storage area networks (SANs).

Windows Server 2022 and Windows 11 introduce AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows automatically negotiates this more advanced cipher method when connecting to another computer that supports it. You can also mandate this method through Group Policy. Windows still supports AES-128-GCM and AES-128-CCM. By default, AES-128-GCM is negotiated with SMB 3.1.1, bringing the best balance of security and performance.

Windows Server 2022 and Windows 11 SMB Direct now support encryption. Previously, enabling SMB encryption disabled direct data placement, making RDMA performance as slow as TCP. Now data is encrypted before placement, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy. You can enable encryption using Windows Admin Center, Set-SmbServerConfiguration, or UNC Hardening group policy.

Furthermore, Windows Server failover clusters now support granular control of encrypting intra-node storage communications for Cluster Shared Volumes (CSV) and the storage bus layer (SBL). This support means that when using Storage Spaces Direct and SMB Direct, you can encrypt east-west communications within the cluster itself for higher security.

Important

There is a notable performance operating cost with any end-to-end encryption protection when compared to non-encrypted.

Enable SMB Encryption

You can enable SMB Encryption for the entire file server or only for specific file shares. Use one of the following procedures to enable SMB Encryption.

Enable SMB Encryption with Windows Admin Center

  1. Download and install Windows Admin Center.
  2. Connect to the file server.
  3. Select Files & file sharing.
  4. Select the File shares tab.
  5. To require encryption on a share, select the share name and choose Enable SMB encryption.
  6. To require encryption on the server, select File server settings.
  7. Under SMB 3 encryption, select Required from all clients (others are rejected), and then choose Save.

Enable SMB Encryption with UNC Hardening

UNC Hardening lets you configure SMB clients to require encryption regardless of server encryption settings. This feature helps prevent interception attacks. To configure UNC Hardening, see MS15-011: Vulnerability in Group Policy could allow remote code execution. For more information on interception attack defenses, see How to Defend Users from Interception Attacks via SMB Client Defense.

Enable SMB Encryption with Windows PowerShell

  1. Sign into your server and run PowerShell on your computer in an elevated session.

    See Also
    SMB2 - Wireshark Wiki

  2. To enable SMB Encryption for an individual file share, run the following command.

    Set-SmbShare –Name <sharename> -EncryptData $true

  3. To enable SMB Encryption for the entire file server, run the following command.

    Set-SmbServerConfiguration –EncryptData $true

  4. To create a new SMB file share with SMB Encryption enabled, run the following command.

    New-SmbShare –Name <sharename> -Path <pathname> –EncryptData $true

Map drives with encryption

  1. To enable SMB Encryption when mapping a drive using PowerShell, run the following command.

    New-SMBMapping -LocalPath <drive letter> -RemotePath <UNC path> -RequirePrivacy $TRUE

  2. To enable SMB Encryption when mapping a drive using CMD, run the following command.

    NET USE <drive letter> <UNC path> /REQUIREPRIVACY

Considerations for deploying SMB Encryption

By default, when SMB Encryption is enabled for a file share or server, only SMB 3.0, 3.02, and 3.1.1 clients are allowed to access the specified file shares. This limit enforces the administrator's intent of safeguarding the data for all clients that access the shares.

However, in some circ*mstances, an administrator might want to allow unencrypted access for clients that don't support SMB 3.x. This situation could occur during a transition period when mixed client operating system versions are being used. To allow unencrypted access for clients that don't support SMB 3.x, enter the following script in Windows PowerShell:

Set-SmbServerConfiguration –RejectUnencryptedAccess $false

Note

We do not recommend allowing unencrypted access when you have deployed encryption. Update the clients to support encryption instead.

The preauthentication integrity capability described in the next section prevents an interception attack from downgrading a connection from SMB 3.1.1 to SMB 2.x (which would use unencrypted access). However, it doesn't prevent a downgrade to SMB 1.0, which would also result in unencrypted access.

To guarantee that SMB 3.1.1 clients always use SMB Encryption to access encrypted shares, you must disable the SMB 1.0 server. For instructions, connect to the server with Windows Admin Center and open the Files & File Sharing extension, and then select the File shares tab to be prompted to uninstall. For more information, see How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows.

If the –RejectUnencryptedAccess setting is left at its default setting of $true, only encryption-capable SMB 3.x clients are allowed to access the file shares (SMB 1.0 clients are also rejected).

Consider the following issues as you deploy SMB Encryption:

  • SMB Encryption uses the Advanced Encryption Standard (AES)-GCM and CCM algorithm to encrypt and decrypt the data. AES-CMAC and AES-GMAC also provide data integrity validation (signing) for encrypted file shares, regardless of the SMB signing settings. If you want to enable SMB signing without encryption, you can continue to do so. For more information, see Configure SMB Signing with Confidence.
  • You might encounter issues when you attempt to access the file share or server if your organization uses wide area network (WAN) acceleration appliances.
  • With a default configuration (where there's no unencrypted access allowed to encrypted file shares), if clients that don't support SMB 3.x attempt to access an encrypted file share, Event ID 1003 is logged to the Microsoft-Windows-SmbServer/Operational event log, and the client receives an Access denied error message.
  • SMB Encryption and the Encrypting File System (EFS) in the NTFS file system are unrelated, and SMB Encryption doesn't require or depend on using EFS.
  • SMB Encryption and the BitLocker Drive Encryption are unrelated, and SMB Encryption doesn't require or depend on using BitLocker Drive Encryption.

Preauthentication integrity

SMB 3.1.1 is capable of detecting interception attacks that attempt to downgrade the protocol or the capabilities that the client and server negotiate by use of preauthentication integrity. Preauthentication integrity is a mandatory feature in SMB 3.1.1. It protects against any tampering with Negotiate and Session Setup messages by using cryptographic hashing. The resulting hash is used as input to derive the session’s cryptographic keys, including its signing key. This process enables the client and server to mutually trust the connection and session properties. When the client or the server detects such an attack, the connection is disconnected, and event ID 1005 is logged in the Microsoft-Windows-SmbServer/Operational event log.

Because of this protection, and to take advantage of the full capabilities of SMB Encryption, we strongly recommend that you disable the SMB 1.0 server. For instructions, connect to the server with Windows Admin Center and open the Files & File Sharing extension, and then select the File shares tab to be prompted to uninstall. For more information, see How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows.

New signing algorithm

SMB 3.0 and 3.02 use a more recent encryption algorithm for signing: Advanced Encryption Standard (AES)-cipher-based message authentication code (CMAC). SMB 2.0 used the older HMAC-SHA256 encryption algorithm. AES-CMAC and AES-CCM can significantly accelerate data encryption on most modern CPUs that have AES instruction support.

Windows Server 2022 and Windows 11 introduce AES-128-GMAC for SMB 3.1.1 signing. Windows automatically negotiates this better-performing cipher method when connecting to another computer that supports it. Windows still supports AES-128-CMAC. For more information, see Configure SMB Signing with Confidence.

Disabling SMB 1.0

SMB 1.0 isn't installed by default starting in Windows Server version 1709 and Windows 10 version 1709. For instructions on removing SMB1, connect to the server with Windows Admin Center, open the Files & File Sharing extension, and then select the File shares tab to be prompted to uninstall. For more information, see How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows.

If it's still installed, you should disable SMB1 immediately. For more information on detecting and disabling SMB 1.0 usage, see Stop using SMB1. For a clearinghouse of software that previously or currently requires SMB 1.0, see SMB1 Product Clearinghouse.

  • Overview of file sharing using the SMB 3 protocol in Windows Server
  • Windows Server Storage documentation
  • Scale-Out File Server for application data overview
SMB security enhancements (2024)

FAQs

How to make SMB more secure? ›

What are the most effective ways to secure the SMB protocol?
  1. Update SMB versions.
  2. Enable SMB signing.
  3. Restrict SMB access.
  4. Monitor SMB activity.
  5. Harden SMB configuration.
  6. Educate SMB users.
  7. Here's what else to consider.
Sep 29, 2023

Read On
What is SMB in security? ›

What is the Server Message Block protocol? The Server Message Block protocol (SMB protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.

Discover More Details
What are the secure versions of SMB? ›

Prefer SMB3 or later whenever possible. Of the 3 major SMB versions, SMB3 — particularly SMB 3.1. 1 — offers the most security. For example, SMB3's secure dialect negotiation limits susceptibility to man-in-the-middle (MITM) attacks and SMB 3.1.

Continue Reading
How can SMB signing improve the security of a network? ›

When SMB signing is configured, the origin and authenticity of network data traffic can be easily confirmed. This ensures the data's integrity and protects against potential attacks targeting any data transmitted over networks.

See Details
How can we mitigate SMB vulnerability? ›

How can you mitigate the risk? The best approach is to not allow SMB across the Internet using firewall rules; either disallow all traffic on ports 135-139 & 445 or limit access to specific IP addresses or Mac Addresses. Keeping your Microsoft Windows server operating system up-to-date or patched is a good practice.

Find Out More
Is SMB still vulnerable? ›

The first version of the protocol – SMB v1 – was full of vulnerabilities that could be easily exploited. Today, the updated protocol is more secure, but SMB v1 exploits continue to happen because many machines still use the old and much more insecure protocol.

Tell Me More
Why is SMB not secure? ›

SMB relay attacks exploit SMB's NTLM authentication, potentially allowing attackers to impersonate users and gain unauthorized access. This attack is facilitated by specific prerequisites such as SMB signing disabled on the target, local network access, and user credentials with remote login permissions.

Show Me More
Is SMB obsolete? ›

Summary. Since Windows 10 Fall Creators Update and Windows Server, version 1709 (RS3), the Server Message Block version 1 (SMBv1) network protocol is no longer installed by default. It was superseded by SMBv2 and later protocols starting in 2007. Microsoft publicly deprecated the SMBv1 protocol in 2014.

Explore More
What are the security levels of SMB? ›

An SMB server informs the client, at the time of a session setup, the security level the server is running. There are two options: share-level and user-level. Which of these two the client receives affects the way the client then tries to authenticate itself.

Continue Reading
What is more secure than SMB? ›

So SFTP is far more secure overall thanks to its use of SSH encryption. SMB versions earlier than 3.0 lack encryption by design but can be secured by layering the proper tools.

Show Me More

Can SMB be encrypted? ›

SMB encryption for data transfers over SMB is a security enhancement that you can enable or disable on SMB servers. You can also configure the desired SMB encryption setting on a share-by-share basis through a share property setting.

Read The Full Story
Why is SMB port vulnerable? ›

Security implications of SMB ports

Ports 139 and 445 have been targets for various cyberattacks, including the notorious WannaCry ransomware. These attacks exploit vulnerabilities in the SMB protocol to execute malicious code and spread across networks.

See Details
How to protect SMB port? ›

Use the following sections to configure SMB traffic segmentation and endpoint isolation to help prevent outbound and lateral network communications.
  1. Block inbound SMB access. ...
  2. Block outbound SMB access. ...
  3. Inventory SMB usage and shares. ...
  4. Configure Windows Defender Firewall. ...
  5. Disable SMB Server if unused.
Mar 6, 2024

Get More Info Here
What is the safest SMB? ›

SMB is safest when users: Don't use SMB 1.0, as it lacks encryption protocols. Use SMB 3.0 or later to keep files and users secure.

Continue Reading
Top Articles
Orioles sale to David Rubenstein approved by Maryland Stadium Authority. MLB owners next to vote
FIFA 23 FUT Birthday swaps, rewards and token tracker explained
Mybranch Becu
Craigslist Home Health Care Jobs
Pnct Terminal Camera
Nco Leadership Center Of Excellence
Dollywood's Smoky Mountain Christmas - Pigeon Forge, TN
What happens if I deposit a bounced check?
Select The Best Reagents For The Reaction Below.
Pike County Buy Sale And Trade
Waive Upgrade Fee
Rls Elizabeth Nj
Camstreams Download
Alaska Bücher in der richtigen Reihenfolge
Mycarolinas Login
8 Ways to Make a Friend Feel Special on Valentine's Day
Nick Pulos Height, Age, Net Worth, Girlfriend, Stunt Actor
Tamilyogi Proxy
Melissababy
Johnnie Walker Double Black Costco
Dallas Mavericks 110-120 Golden State Warriors: Thompson leads Warriors to Finals, summary score, stats, highlights | Game 5 Western Conference Finals
Craigs List Tallahassee
Rogue Lineage Uber Titles
Bento - A link in bio, but rich and beautiful.
Restored Republic June 16 2023
Telegram Voyeur
Regina Perrow
Random Bibleizer
Villano Antillano Desnuda
Uno Fall 2023 Calendar
Bursar.okstate.edu
Helloid Worthington Login
Chapaeva Age
Cbs Trade Value Chart Week 10
Everstart Jump Starter Manual Pdf
Craigslist Com Humboldt
Grapes And Hops Festival Jamestown Ny
Quake Awakening Fragments
Enjoy4Fun Uno
Pay Entergy Bill
Conan Exiles Armor Flexibility Kit
Dwc Qme Database
Todd Gutner Salary
Exam With A Social Studies Section Crossword
56X40X25Cm
Honkai Star Rail Aha Stuffed Toy
Alba Baptista Bikini, Ethnicity, Marriage, Wedding, Father, Shower, Nazi
How To Get To Ultra Space Pixelmon
Phmc.myloancare.com
Waco.craigslist
Fine Taladorian Cheese Platter
Dcuo Wiki
Latest Posts
How do I withdraw funds during my Reg CF?
Songbird Exchanges - Buy, Sell & Trade SGB | CoinCodex
Article information

Author: Manual Maggio

Last Updated:

Views: 5914

Rating: 4.9 / 5 (49 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Manual Maggio

Birthday: 1998-01-20

Address: 359 Kelvin Stream, Lake Eldonview, MT 33517-1242

Phone: +577037762465

Job: Product Hospitality Supervisor

Hobby: Gardening, Web surfing, Video gaming, Amateur radio, Flag Football, Reading, Table tennis

Introduction: My name is Manual Maggio, I am a thankful, tender, adventurous, delightful, fantastic, proud, graceful person who loves writing and wants to share my knowledge and understanding with you.