1
00:00:03,050 --> 00:00:06,860
Now let's go ahead and configure SMB signing for some additional security.

2
00:00:06,860 --> 00:00:10,460
SMB signing is beneficial to help detect men in the middle attacks.

3
00:00:11,330 --> 00:00:13,580
By digitally signing the SMB packets.

4
00:00:13,580 --> 00:00:18,230
The client and server can confirm where they originated from as well as the authenticity.

5
00:00:19,070 --> 00:00:24,290
In order to configure SMB signing, there are four policy items which we will need to define within

6
00:00:24,290 --> 00:00:25,070
route policy.

7
00:00:25,910 --> 00:00:28,640
Let's begin with SMB server packet signing.

8
00:00:29,480 --> 00:00:35,030
You will navigate to computer configuration policies, windows settings, security settings, local

9
00:00:35,030 --> 00:00:36,920
policies, and security options.

10
00:00:37,820 --> 00:00:39,770
You will scroll down and select the option.

11
00:00:39,770 --> 00:00:44,720
Microsoft Network Server Digitally sign communications and we will look at the always setting.

12
00:00:45,560 --> 00:00:49,940
This option controls whether the server providing SMB requires packet signing.

13
00:00:50,780 --> 00:00:56,480
It determines whether or not SMB packet signing must be negotiated first before further communication

14
00:00:56,480 --> 00:00:58,190
with an SMB client is allowed.

15
00:00:59,060 --> 00:01:04,880
The setting after that, which is Microsoft Network Server digitally sign communications if client agrees,

16
00:01:04,880 --> 00:01:11,300
determines whether the SMB server will negotiate SMB packet signing with the client that requested with

17
00:01:11,300 --> 00:01:16,280
this enabled, the sub server will negotiate packet signing as per the request of the client.

18
00:01:17,210 --> 00:01:21,740
If packet signing is enabled on the client, then it will be negotiated by the server.

19
00:01:22,610 --> 00:01:23,330
By default.

20
00:01:23,450 --> 00:01:29,360
This option is only enabled on domain controllers, so you will click on the first one and it's a good

21
00:01:29,360 --> 00:01:31,790
practice to take a look at the explanation tab.

22
00:01:32,660 --> 00:01:35,900
This tab gives you a good explanation of what the setting does.

23
00:01:36,800 --> 00:01:39,950
What's important to note is the default options for the setting.

24
00:01:40,790 --> 00:01:45,950
You can see here it's enabled by default for domain controllers but disabled for member servers.

25
00:01:46,880 --> 00:01:51,800
Since you need to enforce this across your entire domain, you will go ahead and define the policy and

26
00:01:51,800 --> 00:01:52,670
click on Enabled.

27
00:01:53,510 --> 00:01:57,650
What's also important to note is the article that Microsoft links in the setting.

28
00:01:58,490 --> 00:02:03,170
This will highlight any kind of compatibility issues that you might run into with other services or

29
00:02:03,170 --> 00:02:03,950
applications.

30
00:02:04,850 --> 00:02:10,100
Since we don't have any other services or applications or clients that would cause compatibility issues,

31
00:02:10,100 --> 00:02:11,330
you will click on, okay.

32
00:02:11,330 --> 00:02:16,100
And again, you are present with warning and you'll accept this to define the setting.

33
00:02:16,940 --> 00:02:19,640
We will follow the same process for the next option.

34
00:02:20,480 --> 00:02:23,150
Now let's configure SMB signing for clients.

35
00:02:24,020 --> 00:02:29,000
As you scroll a little bit up, you will notice you've got the Microsoft Network client digitally sign

36
00:02:29,000 --> 00:02:32,090
communications always and if server agrees options.

37
00:02:32,970 --> 00:02:39,210
The first one ensures that the SMB client will always require packet signing if the server does not

38
00:02:39,210 --> 00:02:41,610
agree to support packets signing with the client.

39
00:02:41,760 --> 00:02:44,130
The client will not communicate with the server.

40
00:02:45,000 --> 00:02:50,370
The one below that determines whether the SMB client attempts to negotiate SMB packet signing with the

41
00:02:50,370 --> 00:02:50,850
server.

42
00:02:51,750 --> 00:02:55,470
So now you will go ahead and define the options to enable these two settings.

43
00:02:56,370 --> 00:03:01,590
Once these are enabled and the group policy refresh takes place, you have successfully enabled SMB

44
00:03:01,590 --> 00:03:02,070
signing.

45
00:03:02,910 --> 00:03:05,310
Now let's move on to SMB encryption.

46
00:03:06,180 --> 00:03:11,490
Before we enable SMB encryption, let's take a look at what is the configuration setting currently on

47
00:03:11,490 --> 00:03:12,330
the file server.

48
00:03:13,230 --> 00:03:18,300
You will right click and the file server and click on Windows PowerShell and within PowerShell you will

49
00:03:18,300 --> 00:03:19,200
issue the command.

50
00:03:19,230 --> 00:03:21,180
Get SMB server configuration.

51
00:03:22,020 --> 00:03:25,020
You will notice that the encrypt data option is set to false.

52
00:03:25,170 --> 00:03:27,840
This means that SMB encryption is not enabled.

53
00:03:28,710 --> 00:03:35,190
Let's verify what dialects are currently used for SMB to view the current protocol version that's being

54
00:03:35,190 --> 00:03:35,640
used.

55
00:03:35,640 --> 00:03:40,440
Either should a command get SMB connection on my Windows Administrative Machine, and you'll notice

56
00:03:40,440 --> 00:03:43,020
that SMB version 3.1 is being used.

57
00:03:43,890 --> 00:03:49,380
Since security is a priority for the company, let's ensure that we enable SMB encryption across all

58
00:03:49,380 --> 00:03:50,160
file shares.

59
00:03:51,040 --> 00:03:56,620
By issuing the command set SMB server configuration encrypt data with a value of true and false.

60
00:03:56,800 --> 00:03:58,900
You have now enabled SMB encryption.

61
00:03:59,740 --> 00:04:04,960
Let's take a look at the SMB server configuration settings again and you'll see that the encrypt data

62
00:04:04,960 --> 00:04:06,490
option is now set to true.

63
00:04:07,330 --> 00:04:10,630
Now let's go ahead and reject unencrypted SMB connections.

64
00:04:10,630 --> 00:04:16,080
And in order to reject unencrypted access, this can be done using the said SMB server configuration.

65
00:04:16,090 --> 00:04:20,960
Reject unencrypted access with a value of true and you should have warning that would ask you to confirm.

66
00:04:20,980 --> 00:04:23,200
And in this case, we're going to confirm this.

67
00:04:24,100 --> 00:04:27,070
Now, SMB encryption has been enabled successfully.

68
00:04:27,970 --> 00:04:33,010
You can confirm this by navigating to server manager, selecting your file, server, navigating to

69
00:04:33,010 --> 00:04:38,020
file and storage services, clicking on shares and under the file share, you can right click click

70
00:04:38,020 --> 00:04:39,790
on properties and under settings.

71
00:04:39,790 --> 00:04:42,790
You'll notice that the Encrypt Data Access has been selected.

72
00:04:43,660 --> 00:04:48,640
Alternatively, if you did not use PowerShell, you could come to this exact same setting and simply

73
00:04:48,640 --> 00:04:49,930
tick the box and click on.

74
00:04:49,930 --> 00:04:50,380
Okay.

75
00:04:51,180 --> 00:04:55,920
That brings you to the end of this demonstration where you have successfully enabled SMB encryption,

76
00:04:55,920 --> 00:04:58,890
SMB signing and disabled SMB version one.