Forcing Windows 8.1 to use SMB3 only?

8,678

First I would like to apologize because the answer was unknown to me at the time, incomplete. I'm now going to be much clearer and correct.

I tested this myself (using 7 and 10) and it works well; there should be no reason why it would not work with Windows 8.1. I got it from this page on Microsoft's Technet Documentary. Unfortunately, this does not prevent connecting to SMBv2 file shares, but does block SMBv2 connections. This offers key distinctions for SMB3 security.

By default, when SMB Encryption is enabled for a file share or server, only SMB 3.0 clients are allowed to access the specified file shares. This enforces the administrator’s intent of safeguarding the data for all clients that access the shares.

....

If the –RejectUnencryptedAccess setting is left at its default setting of $true, only encryption-capable SMB 3.0 clients are allowed to access the file shares (SMB 1.0 clients will also be rejected).

This passage infers SMB Encryption must be enabled for the particular server share in order to reject it; in other words, it will not reject unless it is encrypted. You need to encrypt your shares by using these following commands in an elevated powershell. (You may also replace $true with $false if you don't want it to reject for that share for no encryption when you have rejection enabled).

To set a particular share as encrypted:

Set-SmbShare –Name <sharename> -EncryptData $true

To set all shares as encrypted. This is the one your probably want. This will be the default setting and will override specific share settings):

Set-SmbServerConfiguration –EncryptData $true

This can also be done by modifying the EncryptData key in HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters, by setting the DWORD value from 0 (false) to 1 (true). You must then restart your computer for settings to take effect (you probably could restart some services instead).

To create a share and make it encrypted:

New-SmbShare –Name <sharename> -Path <pathname> –EncryptData $true

The document describes that when RejectUncreyptedAccess is enabled, SMBv1 will be unable to connect because it will only accept SMBv3 connections, therefore also restricting incoming SMBv2 connections.

Therefore, all of these commands would be all for naught if we do not have RejectUnencryptedAccess enabled by setting its value to $true, if not already (it is enabled by default), by using the command:

Set-SmbServerConfiguration –RejectUnencryptedAccess $true

This can also be done by modifying the RejectUnecryptedAccess key in HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters, by setting the DWORD value from 0 (false) to 1 (true). You must then restart your computer for settings to take effect (you probably could restart some services instead).

Also for reference:

The technical reason why SMBv2 is rejected is not because it is Unencrypted but because it uses a less efficient and less secure ciphering algorithm. SMBv3 uses AES (Advanced Encryption Standard (which was released 1998)) while SMBv2 uses HMAC-Sha256 (Security Hash Algorithm (which was released in 2001 by the NSA)). [I did try to block incoming HMAC-Sha256 and when I tried blocking it did nothing because it is not considered a "Weak" algorithm by Windows, therefore can't be disabled like Sha1 algorithms can be]

Disable SMBv1 with this command (because it is redundant when RejectUnencryptedAccess is enabled & all shares are encrypted, and you want to disable it anyways):

Set-SmbServerConfiguration -EnableSMB1Protocol $false

Enable SMBv2 & SMBv3 together (SMBv2 connections are blocked when RejectUnecryptedAccess is enabled):

Set-SmbServerConfiguration -EnableSMB2Protocol $true

While you cannot disable incoming SMBv2 while you want to use SMBv3, you can disable the incoming SMBv1 by disabling the SMBv1 client using an elevated powershell or command prompt:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi 
sc.exe config mrxsmb10 start= disabled
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

Other nice references from Microsoft:

Share:
8,678

Related videos on Youtube

Stilez
Author by

Stilez

Updated on September 18, 2022

Comments

  • Stilez
    Stilez over 1 year

    I s there a way (indirect, hacky, or otherwise) to restrict Windows 8.1 to SMB3 only, and prevent it accepting or offering SMB2 connections?

    All I can find is that on 8.1, SMB2 and SMB3 share the same stack, so SMB2 functionality can't be disabled internally (by killing mrxsmb20 or similar) without impacting SMB3.

    However, that leaves open the possibility there could be other ways to effectively close it, via the firewall, or some software, or a policy or setting that targets the session, or the protocol requirements and advertised capabilities of a connection (perhaps in a way that SMB2 can't meet), without disabling the stack.

    As none of my LAN devices should ever need to make an SMB2 connection, it's bad practice to leave it open to accept a downgrade old protocol that it shouldn't ever need (crossref security attacks via protocol downgrade on SSL and the recent attacks via older SMB1 vulnerabilities). But is there a way to disable it on a device running that version of Windows?

  • El8dN8
    El8dN8 over 6 years
    @Stilez, so I just forgot to mention you have to enable encryption on the shares. Hope it works
  • Stilez
    Stilez over 6 years
    I don't have SMB2 running anywhere here - which is why I want to disable it ;-) So it's hard to tell. It does look plausible though. I will be able to find an old Win7 VM and test, but that again depends on sorting out my other SMB/file share issues, otherwise the result would be meaningless. I'm happy to be nudged on this but god knows how long till I sort these out! This is just one bit of it...