1
00:00:03,040 --> 00:00:07,930
In this section, we will go back to basics when it comes to securing Windows Server and we'll start

2
00:00:07,930 --> 00:00:09,460
off with SMB security.

3
00:00:10,300 --> 00:00:13,580
SMB one is dead and we really should stop using it.

4
00:00:14,440 --> 00:00:19,330
The first reason, which is a really compelling reason to stop using SMB version one, is that only

5
00:00:19,330 --> 00:00:22,990
versions of Windows that require SMB V1 are all end of support.

6
00:00:23,860 --> 00:00:27,910
And when I say end of support, they have been end of support by a number of years.

7
00:00:28,810 --> 00:00:34,960
For example, when you look at Windows Server 2003, it has been end of support in July 2015.

8
00:00:35,800 --> 00:00:39,880
Windows Server 2000 has been end of support in July 2010.

9
00:00:40,780 --> 00:00:45,790
Many samba and Linux distributions like Ubuntu have also retired SMB version one.

10
00:00:46,630 --> 00:00:47,800
And consider this.

11
00:00:48,700 --> 00:00:53,620
If you are using Windows ten, Windows ten would not work with any end of support version of Windows

12
00:00:53,620 --> 00:00:54,430
or SMB.

13
00:00:55,270 --> 00:00:57,400
Microsoft simply will not support it.

14
00:00:58,300 --> 00:01:01,240
The next reason is that SMB V1 is not safe.

15
00:01:02,140 --> 00:01:07,840
When you use SMB one, you lose key protections that are offered by the later SMB protocol versions.

16
00:01:08,710 --> 00:01:11,890
For example, consider prior authentication integrity.

17
00:01:12,760 --> 00:01:17,800
This protects against security downgrade attacks as well as secure dialect negotiation.

18
00:01:18,640 --> 00:01:21,550
And those two are available in SMB three.

19
00:01:22,390 --> 00:01:27,520
What about encryption, which prevents inspection of data on the wire in any type of man in the middle

20
00:01:27,520 --> 00:01:28,030
attacks?

21
00:01:28,900 --> 00:01:33,580
And then, of course, we've got things like insecure guest authentication, blocking and better message

22
00:01:33,580 --> 00:01:36,910
signing, which are all available from SMB version two upwards.

23
00:01:37,780 --> 00:01:40,540
SMB version one is also not efficient.

24
00:01:41,440 --> 00:01:46,690
So not only do you lose key predictions, you also lose key performance and productivity optimization

25
00:01:46,690 --> 00:01:47,590
for end users.

26
00:01:48,490 --> 00:01:53,650
For example, you lose out on larger reads and rights, which are all available from SMB version two

27
00:01:53,650 --> 00:01:54,160
upwards.

28
00:01:55,060 --> 00:01:56,500
So what is the way forward?

29
00:01:57,370 --> 00:02:03,220
Instead of adding another dialect to SMB, it was decided that a major new version of SMB was needed.

30
00:02:04,090 --> 00:02:07,090
And this is where SMB, V2 and V3 was born.

31
00:02:07,930 --> 00:02:11,830
SMB version two has now actually become SMB version three.

32
00:02:12,700 --> 00:02:18,580
This is more of a marketing move since SMB three still uses the RMS SMB two protocol specification.

33
00:02:19,420 --> 00:02:25,070
And if you look at a bit of history, you'll note that SMB three was originally SMB version 2.2.

34
00:02:25,900 --> 00:02:29,050
So what makes SMB version two and three more secure?

35
00:02:29,920 --> 00:02:32,920
While the start off with you have the encryption capabilities.

36
00:02:33,790 --> 00:02:39,640
SMB encryption provides end to end encryption of data and protects the data from eavesdropping on untrusted

37
00:02:39,640 --> 00:02:40,240
networks.

38
00:02:41,110 --> 00:02:44,200
You also have the ability to make use of SMB signing.

39
00:02:45,040 --> 00:02:48,610
This helps to secure communications and data across the network.

40
00:02:49,480 --> 00:02:55,150
There is a feature within Windows which digitally signs SMB communications between devices and the packet

41
00:02:55,150 --> 00:02:55,510
layer.

42
00:02:56,380 --> 00:03:02,110
When you enable this, SMB signing allows the recipient of the SMB communication to authenticate who

43
00:03:02,110 --> 00:03:04,480
they are and confirm that the data is genuine.

44
00:03:05,350 --> 00:03:09,880
This, of course, helps to safeguard against attacks such as the man in the middle attack.

45
00:03:10,750 --> 00:03:15,850
Most, if not all, of these settings can be enabled either via PowerShell or via group policy.