Protocol (Smb) Encryption And Signing - EMC Unity Family Security Configuration Manual

Communication Security

Protocol (SMB) encryption and signing

EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide
46
Note
You cannot change the management IP address when both of the Storage Processors
(SP) are in Service mode.
After you run the Connection Utility and transfer the configuration to your storage
system, you can connect to the storage system through a web browser using the IP
address that you assigned to the storage system management interface.
The first time you connect to the storage system, the storage system Initial
Configuration Wizard starts. The Initial Configuration Wizard lets you set up the initial
configuration of the storage system so that you can start to create storage resources.
Note
For more information concerning the Connection Utility, see the Unity Series
Installation Guide .
SMB 3.0 and Windows 2012 support on the storage system provides SMB encryption
for those hosts capable of using SMB. SMB Encryption provides secure access to data
on SMB file shares. This encryption provides security to data on untrusted networks,
that is, it provides end-to-end encryption of SMB data sent between the array and the
host. The data is protected from eavesdropping/snooping attacks on untrusted
networks.
SMB Encryption can be configured for each share. Once a share is defined as
encrypted, any SMB3 client must encrypt all its requests related to the share;
otherwise, access to the share will be denied.
To enable SMB Encryption, you either set the Protocol Encryption option in the
advanced SMB share properties in Unisphere or set it through the create and set
CLI commands for SMB shares. There is no setting required on the SMB client.
Note
For more information about setting SMB encryption, refer to the Unisphere online help
and the Unisphere Command Line Interface User Guide .
SMB also provides data integrity validation (signing). This mechanism ensures that
packets have not been intercepted, changed, or replayed. SMB signing adds a
signature to every packet and guarantees that a third party has not changed the
packets.
To use SMB signing, the client and the server in a transaction must have SMB signing
enabled. By default, Windows Server domain controllers require that the clients use
SMB signing. For Windows Server domains (Windows 2000 and later), SMB signing is
set by using a group policy object (GPO) policy. For Windows XP, GPO services for
SMB signing are not available; you must use the Windows Registry settings.
Note
Configuring SMB signing through GPOs affects all clients and servers within the
domain and overrides individual Registry settings. Refer to Microsoft's security
documentation for detailed information about enabling and configuring SMB signing.