# Editing SMB settings for a gateway Editing gateway SMB settings Gateway-level SMB settings let you configure the security strategy, Active Directory authentication, guest access, local group permissions, and file share visibility for the SMB file shares on a gateway. **To edit gateway level SMB settings** 1. Open the Storage Gateway console at [https://console.aws.amazon.com/storagegateway/home](https://console.aws.amazon.com/storagegateway/). 1. Choose **Gateways**, then choose the gateway for which you want to edit SMB settings. 1. From the **Actions** dropdown menu, choose **Edit SMB settings**, then choose the settings you want to edit. This section contains the following topics, which provide additional information and procedures related to configuring each of the individual SMB settings for your gateway. **Topics** + [Set gateway security level](security-strategy.md) - Learn how to set a security level to specify connection requirements such as Server Message Block (SMB) signing and encryption, and whether to allow connections from SMB version 1 clients. + [Configure Active Directory authentication](enable-ad-settings.md) - Learn how to configure your corporate Active Directory or AWS Managed Microsoft AD for user authenticated access to your SMB file share. + [Provide guest access](guest-access.md) - Learn how to configure your gateway to allow guest access for any user that provides the correct guest account username and password. + [Configure local groups](local-group-settings.md) - Learn how to configure local groups to grant Active Directory users special file share permissions. + [Set file share visibility](file-share-visibility.md) - Learn how to specify whether the shares on a gateway are visible when listing shares to users. # Set a security level for your gateway Set gateway security level By using a S3 File Gateway, you can specify a security level for your gateway. By specifying this security level, you can set whether your gateway should require Server Message Block (SMB) signing or SMB encryption, or whether you want to allow SMB version 1. **To configure security level** 1. Open the Storage Gateway console at [https://console.aws.amazon.com/storagegateway/home](https://console.aws.amazon.com/storagegateway/). 1. Choose **Gateways**, then choose the gateway for which you want to edit SMB settings. 1. From the **Actions** dropdown menu, choose **Edit SMB settings**, then choose **SMB security settings**. 1. For **Security level**, choose one of the following: **Note** For information about configuring this setting using the AWS API, see [UpdateSMBSecurityStrategy](https://docs.aws.amazon.com/storagegateway/latest/APIReference/API_UpdateSMBSecurityStrategy.html) in the *AWS Storage Gateway API Reference*. A higher security strategy level can affect performance of the gateway. + **Enforce AES256 encryption** – If you choose this option, S3 File Gateway only allows connections from SMBv3 clients that use 256-bit AES encryption algorithms. 128-bit algorithms are not allowed. This option is recommended for environments that handle sensitive data. It works with all current SMB clients on Microsoft Windows. + **Enforce encryption** – If you choose this option, S3 File Gateway only allows connections from SMBv3 clients that have encryption turned on. Both 256-bit and 128-bit algorithms are allowed. This option is recommended for environments that handle sensitive data. It works with all current SMB clients on Microsoft Windows. + **Enforce signing** – If you choose this option, S3 File Gateway only allows connections from SMBv2 or SMBv3 clients that have signing turned on. This option works with all current SMB clients on Microsoft Windows. + **Client negotiated** – If you choose this option, requests are established based on what is negotiated by the client. This option is recommended when you want to maximize compatibility across different clients in your environment. **Note** For gateways activated before June 20, 2019, the default security level is **Client negotiated**. For gateways activated on June 20, 2019 and later, the default security level is **Enforce encryption**. 1. Choose **Save**. # Use Active Directory to authenticate users Configure Active Directory authentication To use your corporate Active Directory or AWS Managed Microsoft AD for user authenticated access to your SMB file share, edit the SMB settings for your gateway with your Microsoft AD domain credentials. Doing this allows your gateway to join your Active Directory domain and allows members of the domain to access the SMB file share. **Note** Using Directory Service, you can create a hosted Active Directory domain service in the AWS Cloud. To use AWS Managed Microsoft AD with an Amazon EC2 gateway, you must create the Amazon EC2 instance in the same VPC as the AWS Managed Microsoft AD, add the \$1workspaceMembers security group to the Amazon EC2 instance, and join the AD domain using the Admin credentials from the AWS Managed Microsoft AD. For more information about AWS Managed Microsoft AD, see the [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html). For more information about Amazon EC2, see the [https://docs.aws.amazon.com/ec2/](https://docs.aws.amazon.com/ec2/). You can also activate access control lists (ACLs) on your SMB file share. For information about how to activate ACLs, see [Using Windows ACLs to limit SMB file share access](smb-acl.md). **To turn on Active Directory authentication** 1. Open the Storage Gateway console at [https://console.aws.amazon.com/storagegateway/home](https://console.aws.amazon.com/storagegateway/). 1. Choose **Gateways**, then choose the gateway for which you want to edit SMB settings. 1. From the **Actions** drop-down menu, choose **Edit SMB settings**, then choose **Active Directory settings**. 1. For **Domain name**, enter the name of the Active Directory domain you want your gateway to join. **Note** **Active Directory status** shows **Detached** when a gateway has never joined a domain. Your Active Directory service account must have the requisite permissions. For more information, see [Active Directory service account permission requirements](https://docs.aws.amazon.com/filegateway/latest/files3/ad-serviceaccount-permissions.html). Joining a domain creates an Active Directory computer account in the default computers container (which is not an OU), using the gateway's **Gateway ID** as the account name (for example, SGW-1234ADE). It is not possible to customize the name of this account. If your Active Directory environment requires that you pre-stage accounts to facilitate the join domain process, you will need to create this account ahead of time. If your Active Directory environment has a designated OU for new computer objects, you must specify that OU when joining the domain. If your gateway can't join an Active Directory directory, try joining with the directory's IP address by using the [JoinDomain](https://docs.aws.amazon.com/storagegateway/latest/APIReference/API_JoinDomain.html) API operation. 1. For **Domain user** and **Domain password**, enter the credentials for the Active Directory service account that the gateway will use to join the domain. 1. (Optional) For **Organization unit (OU)**, enter the designated OU that your Active Directory uses for new computer objects. 1. (Optional) For **Domain controller(s) (DC)**, enter the name of one or more DCs through which your gateway will connect to Active Directory. You can enter multiple DCs as a comma-separated list. You can leave this field blank to allow DNS to automatically select a DC. 1. Choose **Save changes**. **To limit file share access to specific AD users and groups** 1. In the Storage Gateway console, choose the file share that you want to limit access to. 1. From the **Actions** drop-down menu, choose **Edit file share access settings**. 1. In the **User and group file share access** section, choose your settings. For **Allowed users and groups**, choose **Add allowed user** or **Add allowed group** and enter an AD user or group that you want to allow file share access. Repeat this process to allow as many users and groups as necessary. For **Denied users and groups**, choose **Add denied user** or **Add denied group** and enter an AD user or group that you want to deny file share access. Repeat this process to deny as many users and groups as necessary. **Note** The **User and group file share access** section appears only if **Active Directory** is selected. Groups must be prefixed with the `@` character. Acceptable formats include: `DOMAIN\User1`, `user1`, `@group1`, and `@DOMAIN\group1`. If you configure **Allowed and Denied Users and Groups** lists, then Windows ACLs will not grant any access that overrides those lists. The **Allowed and Denied Users and Groups** lists are evaluated before ACLs, and control which users can mount or access the file share. If any users or groups are placed on the **Allowed** list, the list is considered active, and only those users can mount the file share. After a user has mounted a file share, ACLs then provide more granular protection that controls which specific files or folders the user can access. For more information, see [Activating Windows ACLs on a new SMB file share](https://docs.aws.amazon.com/filegateway/latest/files3/smb-acl.html#enable-acl-new-fileshare). 1. When you finish adding your entries, choose **Save**. # Provide guest access to your file share Provide guest access You can configure your S3 File Gateway to allow guest access for any user that is able to provide the correct guest account username and password. If you want this to be the only method by which users can access your file gateway, then you do not need to join the gateway to a Microsoft Active Directory domain. You can also use this guest access method to create file shares on an S3 File Gateway that is a member of an Active Directory domain. When you configure a file share to use the **Guest Access** authentication method, the guest access username is `smbguest`. Before you can create a file share using guest access, you need to change the default password for the `smbguest` user. You can use the following procedure to change the password for the guest user `smbguest`. **To change the guest access password** 1. Open the Storage Gateway console at [https://console.aws.amazon.com/storagegateway/home](https://console.aws.amazon.com/storagegateway/). 1. Choose **Gateways** from the navigation pane on the left side of the console page, and then choose the **Name** of the gateway for which you want to provide guest access. 1. From the **Actions** drop down menu, choose **Edit SMB settings**, and then choose **Guest access settings**. 1. For **Guest password**, enter the guest access password you want to set, and then choose **Save changes**. # Configure local groups for your gateway Configure local groups Local Group settings allow you to grant Active Directory users or groups special permissions for the SMB file shares on your gateway. You can use Local Group settings to assign Gateway Admin permissions. Gateway Admins can use the Shared Folders Microsoft Management Console snap-in to force-close files that are open and locked. **Note** You must add at least one Gateway Admin user or group before you can join your gateway to an Active Directory domain. **To assign Gateway Admins** 1. Open the Storage Gateway console at [https://console.aws.amazon.com/storagegateway/home](https://console.aws.amazon.com/storagegateway/). 1. Choose **Gateways**, then choose the gateway for which you want to edit SMB settings. 1. From the **Actions** dropdown menu, choose **Edit SMB settings**, then choose **Local Group settings**. 1. In the **Local Group settings** section, choose your settings. This section appears only for file shares that use Active Directory. For **Gateway Admins**, add Active Directory users and groups that you want to grant local Gateway Admin permissions. Add one user or group per line, including the domain name. For example, **corp\$1Domain Admins**. To create additional lines, choose **Add new Gateway Admin**. **Note** Editing Gateway Admins disconnects and reconnects all SMB file shares. 1. Choose **Save changes**, then choose **Proceed** to acknowledge the warning message that appears. # Set file share visibility File share visibility controls whether the shares on a gateway are visible when listing shares to users, such as in a net view or browse list. If the file shares on a gateway are visible, then clients can easily discover the shares using a file browser if they know the gateway IP address or DNS name. If the file shares are not visible, then clients need to know the file share name in addition to the gateway IP or DNS name to be able to discover the shares. **Note** This setting is not an effective method for securing access to the file shares in your deployment. For security, we recommend configuring permissions to limit access to specific users and groups. For instructions, see [Limit user and group access for your SMB file share](https://docs.aws.amazon.com/filegateway/latest/files3/edit-file-share-access-smb.html). **To set file share visibility** 1. Open the Storage Gateway console at [https://console.aws.amazon.com/storagegateway/home](https://console.aws.amazon.com/storagegateway/). 1. Choose **Gateways**, then choose the gateway for which you want to edit SMB settings. 1. From the **Actions** drop-down menu, choose **Edit SMB settings**, then choose **File share visibility settings**. 1. For **Visibility status**, select the check box if you want the shares on this gateway to appear when the gateway lists shares to users. Keep the check box cleared if you do not want the shares on this gateway to appear when the gateway lists shares to users.