A little something about everything

internet marketing and website development made simple..

Remote Network Shares: How to Secure SMB file access on windows server

First thing that should be done on any windows server is to disable SMBv1, its one of the most exploited ways an attacker is able to gain information from your network and access data.

Open Powershell,

To check the current status:

Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

Disable SMB v1

Set-SmbServerConfiguration -EnableSMB1Protocol $false

Now lets check the group policy for SMB signing, open local group policy editor

gpedit.msc

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

Now look for "Microsoft Network Server" and verify that the following is true.

  • Idle time: < 30 Minutes.
  • Digitally Sign communications (always): Enabled

Verify SMB Encryption is enabled

Open Server Manager > File and Storage Services > Shares

Right click a share > click properties > settings and verify that "Encrypt data access" is checked. or force it for all shares on the server by using this command:

Set-SmbServerConfiguration –EncryptData $true

If you still want older clients that use SMB2 for example to access the files you will need to make an exception for them. (note, this would allow man in the middle attacks).

From windows powershell

Set-SmbServerConfiguration –RejectUnencryptedAccess $false

to revert to only accept SMB3.x+ connections 

Set-SmbServerConfiguration –RejectUnencryptedAccess $true


Add comment

Loading