SMB Signing and SMB Encryption are two technologies that can improve the security of your SMB connection.
SMB Signing prevents an attacker from altering the contents of a SMB message by adding a hash of the contents into an encrypted signature. If the contents are altered, the hash in the signature would not match the hash of the new contents, and the message can be discarded. For more information about SMB Signing, see the following article:
SMB Encryption provides end-to-end encryption of data and prevents an attacker from seeing the contents of SMB messages. For more information about SMB Encryption, see the following article:
Enabling SMB Signing or SMB Encryption involves some level of performance penalty since additional computation is required to sign or encrypt SMB traffic. With SMB Signing enabled, file transfer performance may be halved. Using SMB Encryption may only give you a quarter of the performance of non-encrypted non-signed transfers.
Enabling SMB Signing
To enable SMB Signing, the following changes must be made on the client PC:
- Run gpedit.msc or go to Control Panel and search for group policy.
- Navigate to the Security Options section, then change the values for the highlighted policy options so that both are Enabled.
- Close the policy editor.
Enabling SMB Encryption
To enable SMB Encryption for a share:
- Go to MCM, then click File System, then select the share.
- Go to the Advanced tab, then select SMB.
- Enable the Force SMB encrypt option.
- If the client is setup for SMB Signing but accesses an SMB Encryption enabled share, the connection will use encryption but not signing. Using signing when encryption is used does not provide any advantages but would further degrade performance.
- If the client is setup for SMB Signing and the share has forced SMB encryption, the "Don't allow guest to access all shares" option must be enabled in the Account page.
- SMB Encryption is supported for SMB 3.0 or higher.