Determine SMB 3.1.1 Protocol Security Scenarios and Implementations

SMB 3.1.1 was added with Windows Server 2016 and Windows 10 operating systems. This post will cover the SMB 3.1.1 protocol security features that have been introduced, outlining why you would want to use them.

SMB 3.1.1 Protocol Security

SMB 3.1.1 adds support for AES 128 GCM encryption and also performs pre-authentication integrity checks using SHA-512. It makes secure negotiation a requirement when connecting to clients using SMB 2 or higher.

SMB 3.1.1 will only be negotiated between instances of Windows Server 2016 and Windows 10 or above. If either of these operating systems are connecting with SMB to an older operating system version, an older version of the SMB protocol will be used instead after negotiation.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.


Pre-Authentication Integrity

This has been improved to add further protection against man in the middle (MITM) attacks which aim to modify SMB traffic, and now uses SHA-512 to verify exchanges as of SMB 3.1.1.

Encryption

SMB 3.0 introduced encryption with AES 128 CCM, while 3.1.1 has now added support for AES 128 GCM which performs better with today’s CPUs, allowing for faster file transfers over SMB. In newer versions of Windows with 3.1.1 support, AES 128 GCM is now used by default.

Cluster Dialect Fencing

For local non-clustered file shares, the SMB server will offer up to version 3.1.1 during dialect negotiation. For clustered shares in mixed mode prior to upgrading the cluster functional level however, it will offer up to SMB 3.0.2 during dialect negotiation. After the functional level of the cluster has been upgraded it will then offer SMB 3.1.1 to all clients.

Summary

Windows Server 2016 and Windows 10 include the SMB 3.1.1 protocol which includes better security and additional features.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>