3

I am enabling SMB encryption with:

Set-SmbServerConfiguration -EncryptData $true -Force

From a monitoring service, I want to verify that only encrypted connections are accepted. How can I attempt to make a non-encrypted connection (to see it get denied)?

I have tried connecting from older Windows that doesn't support SMB3 encryption. That works, but my monitoring service runs on a recent OS.

I have considered disabling SMB3 on the machine, but that requires a reboot. I want something quick that doesn't have long-lasting side effects.

Jay Bazuzi
  • 683
  • 5
  • 14

1 Answers1

3

From your monitoring server, do:

$(Get-SmbServerConfiguration -CimSession RemoteComputer).EncryptData

If False, then fire alert.

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • Yeah, that is useful... but I was hoping for a confirm that non-encrypted connections actually fail, not just a way to check that the flag is set. – Jay Bazuzi Jul 24 '14 at 17:28
  • You sort of already shot down all the alternatives in your original question. You don't want to turn off SMBv3, you don't want to connect from a different SMB client other than an SMBv3-enabled Windows machine... you could write your own SMB emulator I guess. :P – Ryan Ries Jul 24 '14 at 22:21