Force SMB3 when possible?

Background

I have an environment with 5000 or so workstations, 1000 or so servers.

All of my file share servers are running Windows Server 2012 or higher, and thus support SMBv3.

About half of my workstations are Windows 10, and thus support SMBv3; however the other half are Windows 7, and thus only support SMBv2 or lower.

I'm working on replacing these Windows 7 machines, but it'll be awhile. We've paid for extended support, so it's ok for another year.

My Issue

Is it possible to force SMBv3 connections when SMBv3 connectivity is possible, but support SMBv2 otherwise?

Example:

Windows 10 workstation visits the "Accounting" department share to get a file. The connection between the workstation and department share (our file server) is via SMBv3

Windows 7 workstation visits the "Accounting" department share to get a file. The connection between the workstation and department share (our file server) is via SMBv2

EDIT

I ran Get-SmbConnection on my Win10 workstation to my file server, and it reports version 3.02.

However, running Wireshark while transferring a file between workstation and share shows SMBv2, and Wireshark is able to re-create the transferred file from the captured packets. SMBv3 is encrypted, so this shouldn't be possible if it were.

This is where my confusion is stemming from I suppose.

Ghawblin

Posted 2019-12-16T20:31:07.990

Reputation: 11

2Encryption is an optional feature of the protocol. Did you enable encryption on your server? – Daniel B – 2019-12-16T20:54:57.107

Ah! That may be the cause. I'll send a message to our storage admin. – Ghawblin – 2019-12-17T16:47:54.720

Answers

This is how SMB functions to spec already. It will connect at the highest version that both parties support. Server 2012 to Windows 10 = smb3, 7 to server 2012, smb2, etc. This can be verified with Get-SmbConnection cmdlet in powershell on any host with an smb connection to another host.

Narzard

Posted 2019-12-16T20:31:07.990

Reputation: 2 276

I'm glad you mentioned that! I ran Get-SmbConnection on my Win10 workstation to a few of my servers and it reported version 3.02, however, Wireshark shows SMB2 when I move files around. I'm able to have wire-shark recreate the transferred file from the packet data it captured, implying that it's not encrypted and thus can't be SMBv3. What gives with that? – Ghawblin – 2019-12-16T20:44:47.827

1Are the servers in question here 2012 or of the linux variety? Verifying the connection in question is from Win10 to Server2012? – Narzard – 2019-12-16T20:47:30.027

1https://www.snia.org/sites/default/files/SDCEMEA/2019/SMB3seminar/Aptel-New_SMB3_features_in_Wireshark.pdf I found this interesting. Because SMB3 is a dialect of SMB2, it shows as SMB2 in wireshark. Because wireshark caught all the connection negotiations, it is still able to decrypt packets made from connections in/out of the server. What do you think? Edit: Around Slide 16 – Narzard – 2019-12-16T20:59:21.867

Thanks! They're windows servers specifically. Someone earlier mentioned if I had encryption enabled, and I'm not sure. I sent a request to our storage admin. – Ghawblin – 2019-12-17T16:47:40.843