First I would like to apologize because the answer was unknown to me at the time, incomplete. I'm now going to be much clearer and correct.
I tested this myself (using 7 and 10) and it works well; there should be no reason why it would not work with Windows 8.1. I got it from this page on Microsoft's Technet Documentary. Unfortunately, this does not prevent connecting to SMBv2 file shares, but does block SMBv2 connections. This offers key distinctions for SMB3 security.
By default, when SMB Encryption is enabled for a file share or server,
only SMB 3.0 clients are allowed to access the specified file shares.
This enforces the administrator’s intent of safeguarding the data for
all clients that access the shares.
....
If the –RejectUnencryptedAccess setting is left at
its default setting of $true, only encryption-capable SMB 3.0 clients
are allowed to access the file shares (SMB 1.0 clients will also be
rejected).
This passage infers SMB Encryption must be enabled for the particular server share in order to reject it; in other words, it will not reject unless it is encrypted. You need to encrypt your shares by using these following commands in an elevated powershell. (You may also replace $true
with $false
if you don't want it to reject for that share for no encryption when you have rejection enabled).
To set a particular share as encrypted:
Set-SmbShare –Name <sharename> -EncryptData $true
To set all shares as encrypted. This is the one your probably want. This will be the default setting and will override specific share settings):
Set-SmbServerConfiguration –EncryptData $true
This can also be done by modifying the EncryptData
key in HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
, by setting the DWORD value from 0
(false) to 1
(true). You must then restart your computer for settings to take effect (you probably could restart some services instead).
To create a share and make it encrypted:
New-SmbShare –Name <sharename> -Path <pathname> –EncryptData $true
The document describes that when RejectUncreyptedAccess is enabled, SMBv1 will be unable to connect because it will only accept SMBv3 connections, therefore also restricting incoming SMBv2 connections.
Therefore, all of these commands would be all for naught if we do not have RejectUnencryptedAccess enabled by setting its value to $true, if not already (it is enabled by default), by using the command:
Set-SmbServerConfiguration –RejectUnencryptedAccess $true
This can also be done by modifying the RejectUnecryptedAccess
key in HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
, by setting the DWORD value from 0
(false) to 1
(true). You must then restart your computer for settings to take effect (you probably could restart some services instead).
Also for reference:
The technical reason why SMBv2 is rejected is not because it is Unencrypted but because it uses a less efficient and less secure ciphering algorithm. SMBv3 uses AES (Advanced Encryption Standard (which was released 1998)) while SMBv2 uses HMAC-Sha256 (Security Hash Algorithm (which was released in 2001 by the NSA)). [I did try to block incoming HMAC-Sha256 and when I tried blocking it did nothing because it is not considered a "Weak" algorithm by Windows, therefore can't be disabled like Sha1 algorithms can be]
Disable SMBv1 with this command (because it is redundant when RejectUnencryptedAccess is enabled & all shares are encrypted, and you want to disable it anyways):
Set-SmbServerConfiguration -EnableSMB1Protocol $false
Enable SMBv2 & SMBv3 together (SMBv2 connections are blocked when RejectUnecryptedAccess is enabled):
Set-SmbServerConfiguration -EnableSMB2Protocol $true
While you cannot disable incoming SMBv2 while you want to use SMBv3, you can disable the incoming SMBv1 by disabling the SMBv1 client using an elevated powershell or command prompt:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Other nice references from Microsoft:
@Stilez, so I just forgot to mention you have to enable encryption on the shares. Hope it works – El8dN8 – 2017-07-26T22:39:53.590
I don't have SMB2 running anywhere here - which is why I want to disable it ;-) So it's hard to tell. It does look plausible though. I will be able to find an old Win7 VM and test, but that again depends on sorting out my other SMB/file share issues, otherwise the result would be meaningless. I'm happy to be nudged on this but god knows how long till I sort these out! This is just one bit of it... – Stilez – 2017-07-27T08:24:11.050