Configure SMB Security in Windows Server 2012

How do I configure SMB Security in Windows Server 2012?

Windows Server 2012 (and Windows 8) introduce a new version of the Server Message Block (SMB) protocol for transferring files across a network. One of the most interesting new features is the ability to encrypt files over the wire between two supported clients. SMB 2.1 in Windows Server 2008 R2 (and Windows 7) was able to sign SMB packets to prevent spoofing, but not encrypt the actual data. Prior to Windows Server 2012, the only way to encrypt file data in transit was to configure IPsec. SMB 3.0 encryption can be enabled, either per share or file server, without any special planning.

Disable SMB 1.o

Microsoft recommends that unless you have clients running Windows XP or earlier, you should disable SMB 1.0. Do this in a preproduction lab environment before rolling out the change to your production systems. However, there are still certain scenarios where SMB 1.0 is still required, such as when the computer browser service is enabled in Vista (or later).

Windows Server 2012 has a new PowerShell command that makes it easy to get the configuration status of SMB protocols on the server, and optionally enable or disable SMB protocol support.

To get the current SMB protocol status on Windows Server 2012: Logon to the server as a local administrator, open a PowerShell prompt from the Start screen or icon on the desktop Taskbar, and run the following command:

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

Check SMB protocol configuration in Windows Server 2012

Note that there’s no separate command to enable or disable SMB 3.0, as it cannot operate independently of SMB 2.1.

Now, run the following command to disable SMB 1.0 and confirm the action when prompted:

Set-SmbServerConfiguration -EnableSMB1Protocol $false

After that, run the first command again. You should see that SMB 1 has been successfully disabled.

Enable SMB 3.0 Encryption

You can enable encryption per file share or for the entire server. SMB 3.0 uses the AES-CCM algorithm for both encryption and signing. Using the same PowerShell cmdlet as above, run the following command to enable SMB 3.0 Encryption for all file shares:

Set-SmbServerConfiguration –EncryptData $true

To enable encryption for a specific file share, run the following PowerShell command, replacing <sharename> with name of the file share for which you want to enable encryption:

Set-SmbShare –Name <sharename> -EncryptData $true

When enabled, SMB 3.0 encryption will encrypt file data between devices that support SMB 3.0. Clients that don’t support SMB 3.0 will not be able to connect to the file server or share where encryption is turned on. While not recommended, this behavior can be changed by running the Set-SmbServerConfiguration –RejectUnencryptedAccess $false PowerShell command.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (1)

One response to “Configure SMB Security in Windows Server 2012”

  1. Thanks a bunch stumped on this issue and trying to modify the registery settings. Your article showed the proper way to get this going.
    Keep up the good work

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: