4

SMB 3 offers an option to enable encryption. Does that mean it would be a possible option to let people use SMB over the internet or are there other not securable aspects about SMB left? What extra security measures should I have to take to make that secure enough?

I know there a VPN solutions to offer SMB, but I'd like to find a way to offer a network-share without the need for SSL-VPN.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
user207123
  • 41
  • 1
  • 2
  • 2
    What about remote desktop? I personally wouldn't let SMB anywhere near the internet, encrypted or not. – NickW Jan 28 '14 at 11:11
  • I know Remote desktop is possible an it is an option which we offer now. The question was just if and how it is possible with smb 3 encryption. – gert_78 Jan 28 '14 at 15:07

2 Answers2

2

SMB 3 is a pretty new protocol. I'd be hard-pressed to recommend running it "naked" over the Internet until it has had a few more years of attackers and security researchers banging on it.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • That's right. That's why I am in doubt. I was just wondering immediately if it would be safe to run it over the internet but not many people seem to know. I thought at first that was the reason MS had introduced the feature. It would be great if you could do that in a safe way. – gert_78 Jan 29 '14 at 12:36
  • Oh, I think it's a good feature, but there isn't going to be a boolean "safe / not safe" answer. I think it is reasonable to say that SMB (3 or any prior version) has never been pitched by Microsoft as an Internet-facing protocol, but more as a LAN/WAN protocol for use "behind the firewall". I'd love to see the if threat model used to design the SMB 3 protocol security architecture included Internet-facing uses. – Evan Anderson Jan 29 '14 at 12:46
0

Currently Microsoft is offering SMB 3.0 with Azure Files services. So in some situations, it could be said that SMBv3 is secure. But if you are considering expose your file server over the Internet, think about other risks: password guessing attack, client support...

Nam Truong
  • 1