Petri Newsletter Sign-up
Tech Tuesday

Subscribe to Tech Tuesday, the latest insights from for IT Pros.

    See All Petri Newsletters

    Configure SMB Security in Windows Server 2012

    Posted on by Russell Smith in Security with 1 Comment

    How do I configure SMB Security in Windows Server 2012?

    Windows Server 2012 (and Windows 8) introduce a new version of the Server Message Block (SMB) protocol for transferring files across a network. One of the most interesting new features is the ability to encrypt files over the wire between two supported clients. SMB 2.1 in Windows Server 2008 R2 (and Windows 7) was able to sign SMB packets to prevent spoofing, but not encrypt the actual data. Prior to Windows Server 2012, the only way to encrypt file data in transit was to configure IPsec. SMB 3.0 encryption can be enabled, either per share or file server, without any special planning.

    Disable SMB 1.o

    Microsoft recommends that unless you have clients running Windows XP or earlier, you should disable SMB 1.0. Do this in a preproduction lab environment before rolling out the change to your production systems. However, there are still certain scenarios where SMB 1.0 is still required, such as when the computer browser service is enabled in Vista (or later).

    Windows Server 2012 has a new PowerShell command that makes it easy to get the configuration status of SMB protocols on the server, and optionally enable or disable SMB protocol support.

    To get the current SMB protocol status on Windows Server 2012: Logon to the server as a local administrator, open a PowerShell prompt from the Start screen or icon on the desktop Taskbar, and run the following command:

    Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

    Check SMB protocol configuration in Windows Server 2012

    Note that there’s no separate command to enable or disable SMB 3.0, as it cannot operate independently of SMB 2.1.

    Now, run the following command to disable SMB 1.0 and confirm the action when prompted:

    Set-SmbServerConfiguration -EnableSMB1Protocol $false

    After that, run the first command again. You should see that SMB 1 has been successfully disabled.

    Enable SMB 3.0 Encryption

    You can enable encryption per file share or for the entire server. SMB 3.0 uses the AES-CCM algorithm for both encryption and signing. Using the same PowerShell cmdlet as above, run the following command to enable SMB 3.0 Encryption for all file shares:

    Set-SmbServerConfiguration –EncryptData $true

    To enable encryption for a specific file share, run the following PowerShell command, replacing <sharename> with name of the file share for which you want to enable encryption:

    Set-SmbShare –Name <sharename> -EncryptData $true

    When enabled, SMB 3.0 encryption will encrypt file data between devices that support SMB 3.0. Clients that don’t support SMB 3.0 will not be able to connect to the file server or share where encryption is turned on. While not recommended, this behavior can be changed by running the Set-SmbServerConfiguration –RejectUnencryptedAccess $false PowerShell command.


    Don't have a login but want to join the conversation? Sign up for a Petri Account


    Register for this Petri Webinar!

    Want to Make Your Backup Storage Unlimited & Ready for the Cloud? – Free Thurrott Premium Account with Webinar Registration!

    Tuesday, August 27, 2019 @ 1:00 pm EDT

    A Scale-Out Backup storage infrastructure is a must-have technology for your backups. In this webinar, join expert Rick Vanover for a look on what real-world problems are solved by the Scale-Out Backup Repository.

    Register Now

    Sponsored By