First thing that should be done on any windows server is to disable SMBv1, its one of the most exploited ways an attacker is able to gain information from your network and access data.
Open Powershell,
To check the current status:
Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
Disable SMB v1
Set-SmbServerConfiguration -EnableSMB1Protocol $false
Now lets check the group policy for SMB signing, open local group policy editor
gpedit.msc
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
Now look for "Microsoft Network Server" and verify that the following is true.
- Idle time: < 30 Minutes.
- Digitally Sign communications (always): Enabled
Verify SMB Encryption is enabled
Open Server Manager > File and Storage Services > Shares
Right click a share > click properties > settings and verify that "Encrypt data access" is checked. or force it for all shares on the server by using this command:
Set-SmbServerConfiguration –EncryptData $true
If you still want older clients that use SMB2 for example to access the files you will need to make an exception for them. (note, this would allow man in the middle attacks).
From windows powershell
Set-SmbServerConfiguration –RejectUnencryptedAccess $false
to revert to only accept SMB3.x+ connections
Set-SmbServerConfiguration –RejectUnencryptedAccess $true