I'm looking to disable older, vulnerable TLS/SSL cipher suites on my SMB file server. I've read that SMB 3 doesn't use Schannel since it has its own encryption stack, so disabling these older ciphers shouldn't affect access to file shares. Has anyone here had experience doing this?
4 Answers
It's smart to remove any cipher suites that aren't used. You might want to analyze your traffic to identify the ciphers in use before making changes. My experience, however, is that if there's an old machine connecting that hasn't been updated, it could be relying on those outdated ciphers.
You're right, SMB doesn't utilize Schannel. This means removing old ciphers is logical since they aren't even used. Just ensure that your network doesn’t have any older machines that might still be attempting to connect using outdated protocols.
I recommend using IIS Crypto for managing your cipher suites. It's a handy tool that simplifies the process of enabling or disabling them. Just be sure to verify that none of your active sessions rely on the ciphers you're planning to turn off.
I hear you on the need for caution. If your group policy is already enforcing SMB 3 and everyone is on it, that's a good start. Be careful, though! The server is handling different workloads, and any downtime should definitely be avoided. Just proceed methodically.
Could you link to any specific Microsoft documentation on this? I'm having trouble finding detailed info.