Since Windows Server 2012 and Windows 8, we have version 3.0 of the SMB protocol. This version includes several SMB security enhancements, one of which is encryption. Implementation of this enhancement enables us to encrypt data transferred over the network between the SMB file server and the client. In this post, I want to show you how to enable SMB encryption for the entire file server or only for specific file shares using PowerShell.
Important: If a client that does not support SMB 3.0 tries to access an encrypted shared repository, the event will be logged on the file server with ID: 1003 and the client receives an access denied error message.
PowerShell Workaround #
First, we must check the current configuration of the SMB server by executing the following command.
And then we must check the protocol version used by the clients that connect to the file server. To obtain the version of the SMB protocol used by the clients. You should use the Get-SmbConnection cmdlet with the following syntax.
If you want to force encryption of all SMB sessions on a file server, you must use Set-SmbServerConfiguration with the following syntax.
Set-SmbServerConfiguration ` -EncryptData $true
If instead, you only want to enable SMB encryption on a specific file share, you must use the Set-SmbShare cmdlet with the following syntax.
Set-SmbShare ` -Name MyShared ` -EncryptData $true Get-SmbShare ` -Name MyShared ` | Format-List -Property *
You can also enable SMB encryption when you define the share instead. To do this, you should use the New-SmbShare with the following syntax.
New-SmbShare ` -Name MyShared ` -Path c:\Shared ` -EncryptData $true Get-SmbShare ` -Name MyShared ` | Format-List -Property *
Once encryption is enabled, another SMB server configuration option that you should consider is to prevent clients that do not support SMB encryption from connecting to encrypted shares. To do this, use the following command.
Set-SmbServerConfiguration ` -RejectUnencryptedAccess $true
However, in some circumstances, you may need to allow unencrypted access to clients that do not support SMB 3.0. To do this, use the following command.
Set-SmbServerConfiguration ` -RejectUnencryptedAccess $false
Thanks for reading my post. I hope you find it useful.
If you want to know more about SMB security enhancements, check out this link.