1

We'd like to share files through an Win08R2 EC2 instance with clients (Windows 7 machines) through the default NFS (i.e. avoiding 3rd party software like Dropbox/Aws-s3 etc.).

Encryption at rest is unnecessary, however encryption during transport/transfer is very important. I've seen posts that Windows uses IPSEC. I just want to confirm it's used in the default Windows folder sharing (ex: \\w.x.y.z-onAWS\c$\users\public\sharedFolder).

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
user3645994
  • 151
  • 1
  • 3

2 Answers2

0

Windows does not use IPSec to encrypt SMB transfers. By default, SMB transfers are performed unencrypted.

With Server 2012 R2, there is an option for native SMB transfer encryption, though it's disabled by default, and not available on Server 2008 R2.

So, looks like it's time to get an upgraded version of Windows to serve those files from if you need to have natively-encrypted SMB transfers.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • Hi - Thanks for your response, so to confirm there is no encryption 08R2<->Win7, however 12R2<->07 is capable of AES ? – user3645994 Jan 09 '15 at 19:38
  • @user3645994 That is correct. The linked article even contains instructions on server configurations to prevent SMB transfers to any clients incapable of SMB encryption (clients using v1.0 of the protocl, rather than v2.0), which I mention since you seem to be concerned about that possibility. – HopelessN00b Jan 09 '15 at 20:39
  • 1
    But you should be able to configure IPSEC tunneling in Windows Firewall (Connection Security Rules) - so all traffic between hosts (including SMB) will be encrypted. – Somescout Jan 10 '15 at 08:32
  • @Somescout This is true, and is actually what Microsoft does with their network, but it's not a recommended configuration. (Probably because it's too easy to screw up and result in exposing the traffic you thought was protected.) As such, I don't really feel comfortable recommending it to anyone. That said, if you want to expand on it (include details or links on how to do it), I believe it would make a perfectly valid answer to this question. – HopelessN00b Jan 10 '15 at 08:36
0

No, it is not enabled by default and it wasn't in the protocol until SMB3 and that's why HopelessN00b mentions 2012R2 encryption availability. However as Somescout mentioned you can force IPSec for any Windows to Windows connection you'd like.

There's no need to feel uncomfortable recommending it, unless you're recommending it as a VPN substitute, which is not because as HopelessN00b mentioned, there are traffic leaks (e.g. DNS).

If what you'd like to do is encrypt SMB transfers, IPSec encryption is a great solution and already available in your boxes. If you value confidentiality over availability, make sure you choose force and not prefer IPSec encryption between those boxes for port 445 :)

Pedro Perez
  • 6,202
  • 1
  • 11
  • 11