Windows/Powershell: Automating the configuration of a File Server with AES-CCM-based Signing and Encryption

Created: 12/29/19

Updated: 2/16/20

Hey peeps,

So I’ve noticed while digging deeper into Powershell for Server 2019, that there are advanced settings around SMB share security, so backtracked into Server 2016 and it’s the same on that platform.

I’m used to the below function in Server 2016:

Set-smbshare -Name [Share Name] -EncryptData $true
-Confirm:$false

As this will encrypt a solo folder, just like here in this article: https://www.g15it.com/windows-setting-up-in-motion-encryption-on-smb-based-files/

But something I’ve noticed is a few more functions that allow you to take SMB3 to it’s fullest potential and curious if anyone else has enabled these and seen any issues with enabling them.

1. Get-SmbServerConfiguration (This pulls the local server SMB configuration settings)
2. Set-SmbServerConfiguration (This disabled SMB version 1 – may conflict with Windows 7 shares)
-EnableSMB1Protocol $false
-Confirm: $false
3. Set-SmbServerConfiguration (This enables SMB Signing and Encryption on the entire server, by default AES-CCM is used for encryption and packet signing, this does degrade performance slightly)
-RequireSecuritySignatures $true
-EnableSecuritySignatures $true
-EncryptData $true
-Confirm:$false
4. Set-SmbServerConfiguration (This disabled the default server and workstation shares)
-AutoShareServer $false
-AutoShareWorkstation $false
-Confirm: $false
5. Set-SmbServerConfiguration (This disables Server annoucements – this helps to hide the advertisement of the file server to hackers)
-ServerHidden $true
-AnnounceServer $false
-Confirm: $false
6. [ValidateSet(‘Yes’, ‘No’)]$RebootService = Read-Host “Want to Restart Lan Man Service ? Enter Yes/No”
If ($RebootService -eq ‘Yes’) { Restart-Service -Name lanmanserver -Force }

I’m pondering that idea of enabling 3, 4, and 5 on a few of our customers file servers. We currently only use “Set-SmbServerConfiguration –EncryptData $true” but wondering if the above would prove even more useful.

Thus far, the only problem I can see with doing step 4 is that if you have a DFS Namespace, the replication function uses the administrative shares for the cmdlets.

Use this command to detect SMBv1:

Get-WindowsFeature FS-SMB1

Use this command to disable SMBv1:

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

Here is a listing of applications that still use SMBv1, though: https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/SMB1-Product-Clearinghouse/ba-p/426008

Enable WMI:

netsh advfirewall firewall set rule group=”windows management instrumentation (wmi)” new enable=yes

make sure the “Remote Registry” service is running, too. 😉

If you have the Windows firewall enabled you’d need to make a incoming rule to allow 6001:6032 TCP as-well.

Disable NLA:

(Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -ComputerName “ServerName” -Filter “TerminalName=’RDP-tcp'”).SetUserAuthenticationRequired(0)

Enable NLA: 

(Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -ComputerName “ServerName” -Filter “TerminalName=’RDP-tcp'”).SetUserAuthenticationRequired(1)

Alternatively, you can do it this way in the registry:

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp and find “SecurityLayer” and change it to 0. 0 is off, and 1 is on.

For RDP:

(Get-WmiObject -Class Win32_TerminalServiceSetting -Namespace root\CIMV2\TerminalServices -Computer “ServerName” -Authentication 6).SetAllowTSConnections(1,1)

Give this a try. As long as everyone has a PGP key setup with all parties, you can send end-to-end encrypted emails. 🙂

Note sure how viable this is, but hey it’s still pretty kool how an open standard is used. 😛

https://www.mailvelope.com/en

Video Explanation:

https://www.youtube.com/watch?v=AQDCe585Lnc#action=share

https://www.sans.org/security-resources/policies