SMB 3.0 encryption - client require
I have a NAS configured with max SMB protocol 3.0, and can select encryption mode Auto/Force. I have verified that my Windows 8.1 client uses SMB encryption when mode is Force, and no encryption when mode is Auto. Now I would like to select mode Auto and still force the Windows 8.1 client to enable (require) encryption, because other clients don't support encryption they can't connect when NAS mode is Force. The clients is in a workgroup, not domain. Is there a registry/setting for Windows 8.1 client that will force it to use SMB 3.0 encryption when available from server, even though server doesn't require it?
June 20th, 2015 6:23am

Hi

Here is a blog article about using power shell to configure Encryption in SMB3

Encryption configuration is offered at two levels; global (session) and share. Global level encryption is for all the shares that are accessed under an encrypted session. On the other hand, it is possible to enable encryption at a share level and encryption will be enforced when the encrypted share is accessed, when the session in not encrypted.

To configure global level encryption, set the following parameter using Power Shell cmdlets that are specifically written for this new version of SMB.

http://blogs.msdn.com/b/openspecification/archive/2012/06/08/encryption-in-smb3.aspx

For the group policy, we have 3 relevant policy for SMB client/server

Digitally sign communications (always)

Digitally sign communications (if server agrees)

Send unencrypted password to third-party SMB servers

Windows operating systems include both a server SMB component and a client SMB component, and these are configured separately. Thus a computer can be configured to require packet signing when acting as an SMB server but not when acting as an SMB client.

Navigate in the left panes tree to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options.

If you prefer to make changes via the registry, in your registry editor navigate to the following keys:

For the SMB client:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation\

Parameters

For the SMB server:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\

Parameters

Regards,

D. Wu

Free Windows Admin Tool Kit Click here and download it now
June 24th, 2015 9:35pm

Windows operating systems include both a server SMB component and a client SMB component, and these are configured separately. Thus a computer can be configured to require packet signing when acting as an SMB server but not when acting as an SMB client.

Thanks for the reply (didn't get notified and forgot about it). That's what I thought, it is not possible. I have since upgraded to Windows 10 client, and will guess Microsoft has not changed anything regarding this. Is there a flaw in SMB protocol that encryption can only be used when all clients support it? I don't understand why the server has the apparently useless 'Auto' encryption mode, since as you say only server can turn this on (i.e 'Force'). That said, the server in question is not running Windows OS, maybe the other OS has a better SMB implementation than Microsoft, where a client indeed can enable encrypted communications when for server it is optional.

August 6th, 2015 9:43am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics