Currently I run a Windows Server 2016 (build 14393.2125) and Windows 10 1709 (build 16299.334) environment. I don't run any other versions of Windows.
Recently I enabled SMB v3 encryption server wide for all my file servers with the following command:
Set-SmbServerConfiguration –EncryptData $true
Set-SmbServerConfiguration –RejectUnencryptedAccess $true
None of my machines/servers have SMB1 installed and it is also disabled as follows:
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
I have a few questions regarding encryption and digitally signing SMB after doing the above:
1) If I run:
Get-SmbConnection | select *
it shows:
SmbInstance : Default
ContinuouslyAvailable : False
Credential : domain\user
Dialect : 3.1.1
Encrypted : True
NumOpens : 1
Redirected : False
ServerName : SERVERNAME
ShareName : Share
Signed : False
UserName : domain\user
Why does it show "Signed" as false? How do I get all my SMB connections to be digitally signed? I've already set the registry key of RequireSecuritySignature to 1 for LanManServer and LanManWorkstation via GPO (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters). Does anything further need to be done? If I am using SMB3 encryption does this mean all connections (by default) are digitally signed?
If I run Get-SmbClientConfiguration or Get-SmbServerConfiguration it shows RequireSecuritySignature as True.
2) Since all my clients/servers support SMB 3.1.1 I would like to use AES-128-GCM as I have read that it has better performance than AES-128-CCM. After running a Wireshark capture I can see that SMB3 connections are using AES-128-CCM. How can I change this so that it uses AES-128-GCM only?
Thanks!
Recently I enabled SMB v3 encryption server wide for all my file servers with the following command:
Set-SmbServerConfiguration –EncryptData $true
Set-SmbServerConfiguration –RejectUnencryptedAccess $true
None of my machines/servers have SMB1 installed and it is also disabled as follows:
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
I have a few questions regarding encryption and digitally signing SMB after doing the above:
1) If I run:
Get-SmbConnection | select *
it shows:
SmbInstance : Default
ContinuouslyAvailable : False
Credential : domain\user
Dialect : 3.1.1
Encrypted : True
NumOpens : 1
Redirected : False
ServerName : SERVERNAME
ShareName : Share
Signed : False
UserName : domain\user
Why does it show "Signed" as false? How do I get all my SMB connections to be digitally signed? I've already set the registry key of RequireSecuritySignature to 1 for LanManServer and LanManWorkstation via GPO (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters). Does anything further need to be done? If I am using SMB3 encryption does this mean all connections (by default) are digitally signed?
If I run Get-SmbClientConfiguration or Get-SmbServerConfiguration it shows RequireSecuritySignature as True.
2) Since all my clients/servers support SMB 3.1.1 I would like to use AES-128-GCM as I have read that it has better performance than AES-128-CCM. After running a Wireshark capture I can see that SMB3 connections are using AES-128-CCM. How can I change this so that it uses AES-128-GCM only?
Thanks!