SMB 安全增强功能SMB security enhancements

适用于:Windows Server 2012 R2、Windows Server 2012、Windows Server 2016Applies to: Windows Server 2012 R2, Windows Server 2012, Windows Server 2016

本主题介绍 Windows Server 2012 R2、Windows Server 2012 和 Windows Server 2016 中的 SMB 安全增强功能。This topic explains the SMB security enhancements in Windows Server 2012 R2, Windows Server 2012, and Windows Server 2016.

SMB 加密SMB Encryption

SMB 加密提供 SMB 数据的端对端加密,并防止数据在未受信任网络中遭到窃听。SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on untrusted networks. 你可以通过最少的工作量来部署 SMB 加密,但对于专用硬件或软件,可能需要少量额外成本。You can deploy SMB Encryption with minimal effort, but it may require small additional costs for specialized hardware or software. 它对 Internet 协议安全性 (IPsec) 或 WAN 加速器无要求。It has no requirements for Internet Protocol security (IPsec) or WAN accelerators. SMB 加密可针对每次共享配置,也可以针对整个文件服务器配置,并且可以在数据通过不受信任的网络的各种场景中启用。SMB Encryption can be configured on a per share basis or for the entire file server, and it can be enabled for a variety of scenarios where data traverses untrusted networks.

备注

SMB 加密不涉及静态安全性,这通常由 BitLocker 驱动器加密处理。SMB Encryption does not cover security at rest, which is typically handled by BitLocker Drive Encryption.

如果需要保护敏感数据免受中间人攻击,应考虑进行 SMB 加密。SMB Encryption should be considered for any scenario in which sensitive data needs to be protected from man-in-the-middle attacks. 可能的方案包括:Possible scenarios include:

  • 使用 SMB 协议移动信息工作者的敏感数据。An information worker's sensitive data is moved by using the SMB protocol. SMB 加密在文件服务器和客户端之间提供端到端的隐私和完整性保障,无需考虑传输数据的网络,例如由非 Microsoft 提供商维护的广域网 (WAN) 连接。SMB Encryption offers an end-to-end privacy and integrity assurance between the file server and the client, regardless of the networks traversed, such as wide area network (WAN) connections that are maintained by non-Microsoft providers.
  • 借助 SMB 3.0,文件服务器可为服务器应用程序(如 SQL Server 或 Hyper-V)提供持续可用的存储。SMB 3.0 enables file servers to provide continuously available storage for server applications, such as SQL Server or Hyper-V. 启用 SMB 加密可提供保护信息免受窥探攻击的机会。Enabling SMB Encryption provides an opportunity to protect that information from snooping attacks. SMB 加密比大多数存储区域网络 (SAN) 所需的专用硬件解决方案更容易使用。SMB Encryption is simpler to use than the dedicated hardware solutions that are required for most storage area networks (SANs).

重要

请注意,与不加密相比,任何端到端的加密保护都会产生显著的性能操作成本。You should note that there is a notable performance operating cost with any end-to-end encryption protection when compared to non-encrypted.

启用 SMB 加密Enable SMB Encryption

你可以为整个文件服务器启用 SMB 加密,也可以只为特定文件共享启用 SMB 加密。You can enable SMB Encryption for the entire file server or only for specific file shares. 可以使用以下方法之一来启用 SMB 加密:Use one of the following procedures to enable SMB Encryption:

使用 Windows PowerShell 启用 SMB 加密Enable SMB Encryption with Windows PowerShell

  1. 若要为单个文件共享启用 SMB 加密,请在服务器上键入以下脚本:To enable SMB Encryption for an individual file share, type the following script on the server:

    Set-SmbShare –Name <sharename> -EncryptData $true
    
  2. 若要为整个文件服务器启用 SMB 加密,请在服务器上键入以下脚本:To enable SMB Encryption for the entire file server, type the following script on the server:

    Set-SmbServerConfiguration –EncryptData $true
    
  3. 若要创建新的 SMB 文件共享并启用 SMB 加密,请键入以下脚本:To create a new SMB file share with SMB Encryption enabled, type the following script:

    New-SmbShare –Name <sharename> -Path <pathname> –EncryptData $true
    

使用服务器管理器启用 SMB 加密Enable SMB Encryption with Server Manager

  1. 在“服务器管理器”中,打开“文件和存储服务” 。In Server Manager, open File and Storage Services.
  2. 选择“共享”以打开“共享”管理页 。Select Shares to open the Shares management page.
  3. 右键单击要启用 SMB 加密的共享,然后选择“属性” 。Right-click the share on which you want to enable SMB Encryption, and then select Properties.
  4. 在共享的“设置”页上,选择“加密数据访问” 。On the Settings page of the share, select Encrypt data access. 对此共享的远程文件访问已加密。Remote file access to this share is encrypted.

部署 SMB 加密的注意事项Considerations for deploying SMB Encryption

默认情况下,为文件共享或服务器启用 SMB 加密时,只允许 SMB 3.0 客户端访问指定的文件共享。By default, when SMB Encryption is enabled for a file share or server, only SMB 3.0 clients are allowed to access the specified file shares. 这会加强管理员为访问共享的所有客户端数据提供保护的意识。This enforces the administrator's intent of safeguarding the data for all clients that access the shares. 但是,在某些情况下,管理员可能想要允许对不支持 SMB 3.0 的客户端(例如,在使用混合客户端操作系统版本的过渡期间)进行未加密访问。However, in some circumstances, an administrator may want to allow unencrypted access for clients that do not support SMB 3.0 (for example, during a transition period when mixed client operating system versions are being used). 若要允许对不支持 SMB 3.0 的客户端进行未加密访问,请在 Windows PowerShell 中键入以下脚本:To allow unencrypted access for clients that do not support SMB 3.0, type the following script in Windows PowerShell:

Set-SmbServerConfiguration –RejectUnencryptedAccess $false

下一节中所述的安全方言协商功能可防止中间人攻击从 SMB 3.0 降级到 SMB 2.0 的连接(这将使用未加密的访问)。The secure dialect negotiation capability described in the next section prevents a man-in-the-middle attack from downgrading a connection from SMB 3.0 to SMB 2.0 (which would use unencrypted access). 但是,它不会阻止降级到 SMB 1.0,这也会导致未加密的访问。However, it does not prevent a downgrade to SMB 1.0, which would also result in unencrypted access. 为了保证 SMB 3.0 客户端始终使用 SMB 加密来访问已加密共享,必须禁用 SMB 1.0 服务器。To guarantee that SMB 3.0 clients always use SMB Encryption to access encrypted shares, you must disable the SMB 1.0 server. (有关说明,请参阅禁用 SMB 1.0 部分。)如果“–RejectUnencryptedAccess”设置保留为其默认设置“$true”,则仅允许支持加密的 SMB 3.0 客户端访问文件共享(SMB 1.0 客户端也会被拒绝) 。(For instructions, see the section Disabling SMB 1.0.) If the –RejectUnencryptedAccess setting is left at its default setting of $true, only encryption-capable SMB 3.0 clients are allowed to access the file shares (SMB 1.0 clients will also be rejected).

备注

  • SMB 加密使用高级加密标准 (AES)-CCM 算法加密和解密数据。SMB Encryption uses the Advanced Encryption Standard (AES)-CCM algorithm to encrypt and decrypt the data. 无论 SMB 签名设置如何,AES-CCM 还能为加密的文件共享提供数据完整性验证(签名)。AES-CCM also provides data integrity validation (signing) for encrypted file shares, regardless of the SMB signing settings. 如果要在不加密的情况下启用 SMB 签名,则可继续执行此操作。If you want to enable SMB signing without encryption, you can continue to do this. 有关详细信息,请参阅 SMB 签名的基础知识For more information, see The Basics of SMB Signing.
  • 如果你的组织使用广域网 (WAN) 加速设备,则当你尝试访问文件共享或服务器时,可能会遇到问题。You may encounter issues when you attempt to access the file share or server if your organization uses wide area network (WAN) acceleration appliances.
  • 使用默认配置(其中没有允许对已加密文件共享进行未加密访问)时,如果不支持 SMB 3.0 的客户端尝试访问已加密文件共享,则事件 ID 1003 会记录到 Microsoft-Windows-SmbServer/Operational 事件日志中,并且客户端将收到一条“拒绝访问”的错误消息 。With a default configuration (where there is no unencrypted access allowed to encrypted file shares), if clients that do not support SMB 3.0 attempt to access an encrypted file share, Event ID 1003 is logged to the Microsoft-Windows-SmbServer/Operational event log, and the client will receive an Access denied error message.
  • SMB 加密与 NTFS 文件系统中的加密文件系统 (EFS) 无关,并且 SMB 加密不需要或依赖于使用 EFS。SMB Encryption and the Encrypting File System (EFS) in the NTFS file system are unrelated, and SMB Encryption does not require or depend on using EFS.
  • SMB 加密与 BitLocker 驱动器加密无关,并且SMB 加密不需要或依赖于使用 BitLocker 驱动器加密。SMB Encryption and the BitLocker Drive Encryption are unrelated, and SMB Encryption does not require or depend on using BitLocker Drive Encryption.

安全方言协商Secure dialect negotiation

SMB 3.0 能够检测到中间人攻击,这些攻击会尝试对 SMB 2.0 或 SMB 3.0 协议,或者客户端与服务器协商的功能进行降级。SMB 3.0 is capable of detecting man-in-the-middle attacks that attempt to downgrade the SMB 2.0 or SMB 3.0 protocol or the capabilities that the client and server negotiate. 当客户端或服务器检测到这种攻击时,会断开连接,并在 Microsoft-Windows-SmbServer/Operational 事件日志中记录事件 ID 1005。When such an attack is detected by the client or the server, the connection is disconnected and event ID 1005 is logged in the Microsoft-Windows-SmbServer/Operational event log. 安全方言协商无法检测或阻止从 SMB 2.0 或3.0 降级到 SMB 1.0。Secure dialect negotiation cannot detect or prevent downgrades from SMB 2.0 or 3.0 to SMB 1.0. 因此,为了充分利用 SMB 加密的完整功能,我们强烈建议你禁用 SMB 1.0 服务器。Because of this, and to take advantage of the full capabilities of SMB Encryption, we strongly recommend that you disable the SMB 1.0 server. 有关详细信息,请参阅禁用 SMB 1.0For more information, see Disabling SMB 1.0.

下一节中所述的安全方言协商功能可防止中间人攻击从 SMB 3 降级到 SMB 2 的连接(这将使用未加密的访问);但是,它不会阻止降级到 SMB 1,这也会导致未加密的访问。The secure dialect negotiation capability that is described in the next section prevents a man-in-the-middle attack from downgrading a connection from SMB 3 to SMB 2 (which would use unencrypted access); however, it does not prevent downgrades to SMB 1, which would also result in unencrypted access. 有关 SMB 早期非 Windows 实现的潜在问题的详细信息,请参阅 Microsoft 知识库For more information on potential issues with earlier non-Windows implementations of SMB, see the Microsoft Knowledge Base.

新签名算法New signing algorithm

SMB 3.0 使用较新的加密算法进行签名:基于高级加密标准 (AES) 密码的消息身份验证代码 (CMAC)。SMB 3.0 uses a more recent encryption algorithm for signing: Advanced Encryption Standard (AES)-cipher-based message authentication code (CMAC). SMB 2.0 使用较旧的 HMAC-SHA256 加密算法。SMB 2.0 used the older HMAC-SHA256 encryption algorithm. AES-CMAC 和 AES-CCM 可以显著地加快大多数支持 AES 指令的新式 CPU 上的数据加密。AES-CMAC and AES-CCM can significantly accelerate data encryption on most modern CPUs that have AES instruction support. 有关详细信息,请参阅 SMB 签名的基础知识For more information, see The Basics of SMB Signing.

禁用 SMB 1.0Disabling SMB 1.0

SMB 1.0 中的传统计算机浏览器服务和远程管理协议功能是独立的,并且可以去除。The legacy computer browser service and Remote Administration Protocol features in SMB 1.0 are now separate, and they can be eliminated. 系统仍会默认启用这些功能,但如果你没有早期的 SMB 客户端(例如运行 Windows Server 2003 或 Windows XP 的计算机),则可以删除 SMB 1.0 功能以提高安全性,并可以减少需要修补的情况。These features are still enabled by default, but if you do not have older SMB clients, such as computers running Windows Server 2003 or Windows XP, you can remove the SMB 1.0 features to increase security and potentially reduce patching.

备注

SMB 2.0 是在 Windows Server 2008 和 Windows Vista 中引入的。SMB 2.0 was introduced in Windows Server 2008 and Windows Vista. 早期客户端(例如运行 Windows Server 2003 或 Windows XP 的计算机)不支持 SMB 2.0;因此,如果禁用 SMB 1.0 服务器,它们将无法访问文件共享或打印共享。Older clients, such as computers running Windows Server 2003 or Windows XP, do not support SMB 2.0; and therefore, they will not be able to access file shares or print shares if the SMB 1.0 server is disabled. 此外,某些非 Microsoft SMB 客户端可能无法访问 SMB 2.0 文件共享或打印共享(例如,具有“扫描以共享”功能的打印机)。In addition, some non-Microsoft SMB clients may not be able to access SMB 2.0 file shares or print shares (for example, printers with “scan-to-share” functionality).

开始禁用 SMB 1.0 之前,你需要了解你的 SMB 客户端当前是否连接到运行 SMB 1.0 的服务器。Before you start disabling SMB 1.0, you'll need to find out if your SMB clients are currently connected to the server running SMB 1.0. 为此,请在 Windows PowerShell 中输入以下 cmdlet:To do this, enter the following cmdlet in Windows PowerShell:

Get-SmbSession | Select Dialect,ClientComputerName,ClientUserName | ? Dialect -lt 2

备注

你应在一周内(每天多次)重复运行此脚本,以生成审核线索。You should run this script repeatedly over the course of a week (multiple times each day) to build an audit trail. 你还可以将其作为计划任务运行。You could also run this as a scheduled task.

若要禁用 SMB 1.0,请在 Windows PowerShell 中输入以下脚本:To disable SMB 1.0, enter the following script in Windows PowerShell:

Set-SmbServerConfiguration –EnableSMB1Protocol $false

备注

如果因禁用了运行 SMB 1.0 的服务器而导致 SMB 客户端连接被拒绝,Microsoft-Windows-SmbServer/Operational 事件日志中会记录事件 ID 1001。If an SMB client connection is denied because the server running SMB 1.0 has been disabled, event ID 1001 will be logged in the Microsoft-Windows-SmbServer/Operational event log.

详细信息More information

下面是一些关于 SMB 和 Windows Server 2012 中相关技术的附加资源。Here are some additional resources about SMB and related technologies in Windows Server 2012.