SMB client encryption mandate now supported in Windows Insider

Heya folks, Ned here again. Beginning in Windows 11 Insider Preview Build 25982  (Canary Channel) and Windows Server Preview Build 25997, now supports requiring of all outbound client connections. With this new option, administrators can mandate that all destination servers support 3.x and encryption, and if missing those capabilities, the client won't connect. This enforces the highest level of network security as well as bringing management parity to SMB signing, which allows both client and server requirements.

Update April 3, 2024: official documentation now available at Configure the SMB client to require encryption in Windows (preview) | Microsoft Learn

SMB encryption

SMB Encryption supplies SMB data end-to-end protection from interception attacks and snooping. It first shipped in SMB 3.0 on Windows 8 and 2012. Windows 10 and Windows added -GCM support for better hardware-accelerated encryption, then Windows 11 and Windows introduced -256-GCM cryptographic suites. Today you can configure SMB encryption on a per share basis, for the entire file server, when mapping drives, or when using UNC Hardening.

SMB client encryption mandate

You can now also configure the SMB client to always require encryption, no matter what the server, share, UNC hardening, or a mapped drive requires. This means an administrator can globally force a Windows machine to use SMB encryption – and therefore SMB 3.x – on all connections and refuse to connect if the SMB server does not support either.

Configuring SMB encryption mandate

You can configure this new option with both and PowerShell.

Group Policy

To configure SMB client for required encryption to all SMB servers (i.e., for outbound connections), enable the group policy under:

Computer Configuration Administrative Templates Network Lanman Workstation  Require encryption

Group Policy editor UIGroup Policy editor UI

Setting the policy to disabled or not configured removes the encryption requirement.

Important: use care when deploying SMB encryption through group policy to a heterogenous fleet. Any legacy SMB servers such as Windows Server 2008 R2 won't support SMB 3.0. Older third-party SMB servers might support SMB 3.0 but not encryption.

PowerShell

To configure the SMB client for required encryption to all SMB servers (i.e., for outbound connections), set the following PowerShell parameter:

Set-SmbClientConfiguration -RequireEncryption $true

To see the effective setting on a machine:

Get-SmbClientConfiguration | FL RequireEncryption

Final notes

SMB encryption has performance overhead and compatibility overhead, and you should balance that against SMB signing – which has better performance and tamper protection but no snooping protection – or against no use of encryption or signing at all, which has best performance but no security besides the connection authorization and pre-auth integrity protection. SMB encryption supersedes SMB signing and supplies the same level of tamper protection, meaning that if your SMC client requires signing, SMB encryption turns it off; there is no point requiring both because encryption wins.

This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:

For more information on securing SMB on Windows in-market, check out:

Until next time,

 – Ned Pyle

 

This article was originally published by Storage at Microsoft. You can find the original article here.