# # ---------------------------- # XSD SCHEMA DEFINATION # ---------------------------- # # # ----------------------------- # SCHEMATRON RULES DEFINITION # ----------------------------- # # # ----------------------------- # TRANSLATIONS DEFINITION # ----------------------------- # data _system_translations { ConvertFrom-StringData @' # check SMB lanmanserver service startup type LanmanServerStartupTypeCheck_Title=The Server service should be set to start automatically LanmanServerStartupTypeCheck_Problem=The Server service is not set to start automatically. LanmanServerStartupTypeCheck_Impact=Unless an administrator manually starts the Server service each time the server restarts, client computers will not be able to access shared folders and other Server Message Block (SMB)-based network services on this server. LanmanServerStartupTypeCheck_Resolution=Set the Server service to start automatically. LanmanServerStartupTypeCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Srv.sys startup type SrvStartupTypeCheck_Title=Srv.sys should be set to start on demand SrvStartupTypeCheck_Problem=Srv.sys is not set to start on demand. SrvStartupTypeCheck_Impact=Client computers will not be able to access file shares and other Server Message Block (SMB)-based network services on this computer. SrvStartupTypeCheck_Resolution=Set Srv.sys to start on demand. SrvStartupTypeCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Srv2.sys startup type Srv2StartupTypeCheck_Title=Srv2.sys should be set to start on demand Srv2StartupTypeCheck_Problem=Srv2.sys is not set to start on demand. Srv2StartupTypeCheck_Impact=Client computers will not be able to access file shares and other Server Message Block (SMB)-based network services on this computer. Srv2StartupTypeCheck_Resolution=Set Srv2.sys to start on demand. Srv2StartupTypeCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Srvnet.sys startup type SrvnetStartupTypeCheck_Title=Srvnet.sys should be set to start on demand SrvnetStartupTypeCheck_Problem=Srvnet.sys is not set to start on demand. SrvnetStartupTypeCheck_Impact=Client computers will not be able to access file shares and other Server Message Block (SMB)-based network services on this computer. SrvnetStartupTypeCheck_Resolution=Set Srvnet.sys to start on demand. SrvnetStartupTypeCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Smb Witness Service startup type SmbWitnessStartupTypeCheck_Title=The SMB Witness service should be set to start on demand SmbWitnessStartupTypeCheck_Problem=The SMB Witness service is not set to start on demand. SmbWitnessStartupTypeCheck_Impact=If the Witness service does not start on demand (or automatically), client computers will not be able to register for notification of failover cluster events, which may increase the time it takes for client computer to reconnect after a failover event. SmbWitnessStartupTypeCheck_Resolution=Set The SMB Witness service to start on demand. SmbWitnessStartupTypeCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check ResumeKeyFilter.sys startup type ResumeKeyFilterStartupTypeCheck_Title=ResumeKeyFilter.sys should be set to start automatically ResumeKeyFilterStartupTypeCheck_Problem=ResumeKeyFilter.sys is not set to start automatically. ResumeKeyFilterStartupTypeCheck_Impact=If the Resume Key Filter is not set to start automatically, client computers will not be able to transparently reconnect to continuously available file shares after a cluster failover event, which may cause application errors and require administrative intervention. ResumeKeyFilterStartupTypeCheck_Resolution=Set ResumeKeyFilter.sys to start automatically. ResumeKeyFilterStartupTypeCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Workstation service startup type WorkStationServiceStartupTypeCheck_Title=The WorkStation service should be set to start automatically WorkStationServiceStartupTypeCheck_Problem=The WorkStation service is not set to start automatically. WorkStationServiceStartupTypeCheck_Impact=Unless an administrator manually starts the Workstation service each time the computer starts, the computer will not be able to access file shares and other Server Message Block (SMB)-based network services on other computers. WorkStationServiceStartupTypeCheck_Resolution=Set the WorkStation service to start automatically. WorkStationServiceStartupTypeCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Mrxsmb20.sys startup type Mrxsmb20StartupTypeCheck_Title=Mrxsmb20.sys should be set to start on demand Mrxsmb20StartupTypeCheck_Problem=Mrxsmb20.sys is not set to start on demand. Mrxsmb20StartupTypeCheck_Impact=The computer will not be able to access file shares and other Server Message Block (SMB)-based network services on other computers. Mrxsmb20StartupTypeCheck_Resolution=Set Mrxsmb20.sys to start on demand. Mrxsmb20StartupTypeCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Rdbss.sys startup type RdbssStartupTypeCheck_Title=Rdbss.sys should be set to system start RdbssStartupTypeCheck_Problem=Rdbss.sys is not set to system start. RdbssStartupTypeCheck_Impact=The computer will not be able to access file shares and other Server Message Block (SMB)-based network services on other computers. RdbssStartupTypeCheck_Resolution=Set Rdbss.sys to system start. RdbssStartupTypeCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Mup.sys startup type MupStartupTypeCheck_Title=Mup.sys should be set to boot start MupStartupTypeCheck_Problem=Mup.sys is not set to boot start. MupStartupTypeCheck_Impact=The computer will not be able to access file shares and other Server Message Block (SMB)-based network services on other computers. MupStartupTypeCheck_Resolution=Set Mup.sys to boot start. MupStartupTypeCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check SmbDirect.sys startup type SmbDirectStartupTypeCheck_Title=SmbDirect.sys should be set to start on demand SmbDirectStartupTypeCheck_Problem=SmbDirect.sys is not set to start on demand. SmbDirectStartupTypeCheck_Impact=If the SMB Direct service does not start on demand (or automatically), client computers will not be able to use SMB over RDMA, which is available with specific Network Interfaces that support RDMA. SmbDirectStartupTypeCheck_Resolution=Set SmbDirect.sys to start on demand. SmbDirectStartupTypeCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check SMB lanmanserver service status LanmanServerStatusCheck_Title=The Server service should be running LanmanServerStatusCheck_Problem=The Server service is not running. LanmanServerStatusCheck_Impact=Unless Server service is running, client computers will not be able to access shared folders and other Server Message Block (SMB)-based network services on this server. LanmanServerStatusCheck_Resolution=Start the Server service. LanmanServerStatusCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Srv.sys status SrvStatusCheck_Title=Srv.sys should be running SrvStatusCheck_Problem=Srv.sys is not running. SrvStatusCheck_Impact=Client computers will not be able to access file shares and other Server Message Block (SMB)-based network services on this computer. SrvStatusCheck_Resolution=Start Srv.sys. SrvStatusCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Srv2.sys status Srv2StatusCheck_Title=Srv2.sys should be running Srv2StatusCheck_Problem=Srv2.sys is not running. Srv2StatusCheck_Impact=Client computers will not be able to access file shares and other Server Message Block (SMB)-based network services on this computer. Srv2StatusCheck_Resolution=Start Srv2.sys. Srv2StatusCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Srvnet.sys status SrvnetStatusCheck_Title=Srvnet.sys should be running SrvnetStatusCheck_Problem=Srvnet.sys is not running. SrvnetStatusCheck_Impact=Client computers will not be able to access file shares and other Server Message Block (SMB)-based network services on this computer. SrvnetStatusCheck_Resolution=Start Srvnet.sys. SrvnetStatusCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Smb Witness Service status SmbWitnessStatusCheck_Title=The SMB Witness service should be running or stopped SmbWitnessStatusCheck_Problem=The SMB Witness service is not running nor stopped. SmbWitnessStatusCheck_Impact=If the Witness service is not running, client computers will not be able to register for notification of failover cluster events, which may increase the time it takes for client computer to reconnect after a failover event. SmbWitnessStatusCheck_Resolution=Start the SMB Witness service. SmbWitnessStatusCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check ResumeKeyFilter.sys status ResumeKeyFilterStatusCheck_Title=ResumeKeyFilter.sys should be running ResumeKeyFilterStatusCheck_Problem=ResumeKeyFilter.sys is not running. ResumeKeyFilterStatusCheck_Impact=If the Resume Key Filter is not running, client computers will not be able to transparently reconnect to continuously available file shares after a cluster failover event, which may cause application errors and require administrative intervention. ResumeKeyFilterStatusCheck_Resolution=Start ResumeKeyFilter.sys. ResumeKeyFilterStatusCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Workstation service status WorkStationServiceStatusCheck_Title=The WorkStation service should be running WorkStationServiceStatusCheck_Problem=The WorkStation service is not running. WorkStationServiceStatusCheck_Impact=If workstation service is not running, the computer will not be able to access file shares and other Server Message Block (SMB)-based network services on other computers. WorkStationServiceStatusCheck_Resolution=Start the WorkStation service. WorkStationServiceStatusCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Mrxsmb20.sys status Mrxsmb20StatusCheck_Title=Mrxsmb20.sys should be running Mrxsmb20StatusCheck_Problem=Mrxsmb20.sys is not running. Mrxsmb20StatusCheck_Impact=The computer will not be able to access file shares and other Server Message Block (SMB)-based network services on other computers. Mrxsmb20StatusCheck_Resolution=Start Mrxsmb20.sys. Mrxsmb20StatusCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Rdbss.sys status RdbssStatusCheck_Title=Rdbss.sys should be running RdbssStatusCheck_Problem=Rdbss.sys is not running. RdbssStatusCheck_Impact=The computer will not be able to access file shares and other Server Message Block (SMB)-based network services on other computers. RdbssStatusCheck_Resolution=Start Rdbss.sys. RdbssStatusCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Mup.sys status MupStatusCheck_Title=Mup.sys should be running MupStatusCheck_Problem=Mup.sys is not running. MupStatusCheck_Impact=The computer will not be able to access file shares and other Server Message Block (SMB)-based network services on other computers. MupStatusCheck_Resolution=Start Mup.sys. MupStatusCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check SmbDirect.sys status SmbDirectStatusCheck_Title=SmbDirect.sys should be running or stopped SmbDirectStatusCheck_Problem=SmbDirect.sys is not running nor stopped. SmbDirectStatusCheck_Impact=If the SMB Direct service is not running, client computers will not be able to use SMB over RDMA, which is available with specific Network Interfaces that support RDMA. SmbDirectStatusCheck_Resolution=Start SmbDirect.sys. SmbDirectStatusCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Server CA is enabled ServerCaSettingCheck_Title=Continuous availability should be enabled on this server ServerCaSettingCheck_Problem=Contionuous availability is disabled on this file server. ServerCaSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. ServerCaSettingCheck_Resolution=Enable continuous availability on this server. ServerCaSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check RejectUnencryptedAccess is enabled RejectUnencryptedAccessSettingCheck_Title=RejectUnencryptedAccess should be enabled RejectUnencryptedAccessSettingCheck_Problem=RejectUnencryptedAccess is disabled on this server. RejectUnencryptedAccessSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. RejectUnencryptedAccessSettingCheck_Resolution=Enable RejectUnencryptedAccess on this server. RejectUnencryptedAccessSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check AnnounceServer is disabled AnnounceServerSettingCheck_Title=AnnounceServer should be disabled AnnounceServerSettingCheck_Problem=AnnounceServer is enabled on this server. AnnounceServerSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. AnnounceServerSettingCheck_Resolution=Enable AnnounceServer on this server. AnnounceServerSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check AsynchronousCredits value AsynchronousCreditsSettingCheck_Title=AsynchronousCredits should have the recommended value AsynchronousCreditsSettingCheck_Problem=AsynchronousCredits doesn't have the recommended value on this server. AsynchronousCreditsSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. AsynchronousCreditsSettingCheck_Resolution=Set AsynchronousCredits to the recommended value, 64. AsynchronousCreditsSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check AutoShareServer is enabled AutoShareServerSettingCheck_Title=AutoShareServer should be enabled AutoShareServerSettingCheck_Problem=AutoShareServer is disabled on this server. AutoShareServerSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. AutoShareServerSettingCheck_Resolution=Enable AutoShareServer on this server. AutoShareServerSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check AutoShareWorkstation is enabled AutoShareWorkstationSettingCheck_Title=AutoShareWorkstation should be enabled AutoShareWorkstationSettingCheck_Problem=AutoShareWorkstation is disabled on this server. AutoShareWorkstationSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. AutoShareWorkstationSettingCheck_Resolution=Enable AutoShareWorkstation on this server. AutoShareWorkstationSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check CachedOpenLimit value CachedOpenLimitSettingCheck_Title=CachedOpenLimit should have the recommended value CachedOpenLimitSettingCheck_Problem=CachedOpenLimit doesn't have the recommended value on this server. CachedOpenLimitSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. CachedOpenLimitSettingCheck_Resolution=Set CachedOpenLimit to the recommended value, 5. CachedOpenLimitSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check downlevel timewarp setting DownlevelTimewarpSettingCheck_Title=Previous Versions support for client computers running Windows 98 should be disabled DownlevelTimewarpSettingCheck_Problem=Previous Versions support for client computers running Windows 98 is enabled. DownlevelTimewarpSettingCheck_Impact=Client computers running Windows 7 or Windows Server 2008 R2 will not correctly display Previous Versions snapshot details. DownlevelTimewarpSettingCheck_Resolution=Use Registry Editor to disable Previous Versions support for client computers running Windows 98. DownlevelTimewarpSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Leasing is enabled LeasingSettingCheck_Title=Leasing should be enabled LeasingSettingCheck_Problem=Leasing is disabled on this server. LeasingSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. LeasingSettingCheck_Resolution=Enable Leasing on this server. LeasingSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check MultiChannel is enabled MultiChannelSettingCheck_Title=MultiChannel should be enabled MultiChannelSettingCheck_Problem=MultiChannel is disabled on this server. MultiChannelSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. MultiChannelSettingCheck_Resolution=Enable MultiChannel on this server. MultiChannelSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check StrictNameChecking is enabled StrictNameCheckingSettingCheck_Title=StrictNameChecking should be enabled StrictNameCheckingSettingCheck_Problem=StrictNameChecking is disabled on this server. StrictNameCheckingSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. StrictNameCheckingSettingCheck_Resolution=Enable StrictNameChecking on this server. StrictNameCheckingSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check AutoDisconnectTimeout value AutoDisconnectTimeoutSettingCheck_Title=AutoDisconnectTimeout should have the recommended value AutoDisconnectTimeoutSettingCheck_Problem=AutoDisconnectTimeout doesn't have the recommended value on this server. AutoDisconnectTimeoutSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. AutoDisconnectTimeoutSettingCheck_Resolution=Set AutoDisconnectTimeout to the recommended value, 0. AutoDisconnectTimeoutSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check DurableHandleV2TimeoutInSeconds value DurableHandleV2TimeoutInSecondsSettingCheck_Title=DurableHandleV2TimeoutInSeconds should have the recommended value DurableHandleV2TimeoutInSecondsSettingCheck_Problem=DurableHandleV2TimeoutInSeconds doesn't have the recommended value on this server. DurableHandleV2TimeoutInSecondsSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. DurableHandleV2TimeoutInSecondsSettingCheck_Resolution=Set DurableHandleV2TimeoutInSeconds to the recommended value, 30. DurableHandleV2TimeoutInSecondsSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check AuthenticateUserSharing is disabled AuthenticateUserSharingSettingCheck_Title=AuthenticateUserSharing should be disabled AuthenticateUserSharingSettingCheck_Problem=AuthenticateUserSharing is enabled on this server. AuthenticateUserSharingSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. AuthenticateUserSharingSettingCheck_Resolution=Enable AuthenticateUserSharing on this server. AuthenticateUserSharingSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check ForcedLogoff is enabled ForcedLogoffSettingCheck_Title=ForcedLogoff should be enabled ForcedLogoffSettingCheck_Problem=ForcedLogoff is disabled on this server. ForcedLogoffSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. ForcedLogoffSettingCheck_Resolution=Enable ForcedLogoff on this server. ForcedLogoffSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Oplocks is enabled OplocksSettingCheck_Title=Oplocks should be enabled OplocksSettingCheck_Problem=Oplocks is disabled on this server. OplocksSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. OplocksSettingCheck_Resolution=Enable Oplocks on this server. OplocksSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check ServerHidden is enabled ServerHiddenSettingCheck_Title=ServerHidden should be enabled ServerHiddenSettingCheck_Problem=ServerHidden is disabled on this server. ServerHiddenSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. ServerHiddenSettingCheck_Resolution=Enable ServerHidden on this server. ServerHiddenSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check IrpStackSize value IrpStackSizeSettingCheck_Title=IrpStackSize should have the recommended value IrpStackSizeSettingCheck_Problem=IrpStackSize doesn't have the recommended value on this server. IrpStackSizeSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. IrpStackSizeSettingCheck_Resolution=Set IrpStackSize to the recommended value, 15. IrpStackSizeSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check KeepAliveTime value KeepAliveTimeSettingCheck_Title=KeepAliveTime should have the recommended value KeepAliveTimeSettingCheck_Problem=KeepAliveTime doesn't have the recommended value on this server. KeepAliveTimeSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. KeepAliveTimeSettingCheck_Resolution=Set KeepAliveTime to the recommended value, 2. KeepAliveTimeSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check MaxChannelPerSession value MaxChannelPerSessionSettingCheck_Title=MaxChannelPerSession should have the recommended value MaxChannelPerSessionSettingCheck_Problem=MaxChannelPerSession doesn't have the recommended value on this server. MaxChannelPerSessionSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. MaxChannelPerSessionSettingCheck_Resolution=Set MaxChannelPerSession to the recommended value, 16. MaxChannelPerSessionSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check MaxMpxCount value MaxMpxCountSettingCheck_Title=MaxMpxCount should have the recommended value MaxMpxCountSettingCheck_Problem=MaxMpxCount doesn't have the recommended value on this server. MaxMpxCountSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. MaxMpxCountSettingCheck_Resolution=Set MaxMpxCount to the recommended value, 50. MaxMpxCountSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check MaxSessionPerConnection value MaxSessionPerConnectionSettingCheck_Title=MaxSessionPerConnection should have the recommended value MaxSessionPerConnectionSettingCheck_Problem=MaxSessionPerConnection doesn't have the recommended value on this server. MaxSessionPerConnectionSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. MaxSessionPerConnectionSettingCheck_Resolution=Set MaxSessionPerConnection to the recommended value, 16384. MaxSessionPerConnectionSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check MaxThreadsPerQueue value MaxThreadsPerQueueSettingCheck_Title=MaxThreadsPerQueue should have the recommended value MaxThreadsPerQueueSettingCheck_Problem=MaxThreadsPerQueue doesn't have the recommended value on this server. MaxThreadsPerQueueSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. MaxThreadsPerQueueSettingCheck_Resolution=Set MaxThreadsPerQueue to the recommended value, 20. MaxThreadsPerQueueSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check MaxWorkItems value MaxWorkItemsSettingCheck_Title=MaxWorkItems should have the recommended value MaxWorkItemsSettingCheck_Problem=MaxWorkItems doesn't have the recommended value on this server. MaxWorkItemsSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. MaxWorkItemsSettingCheck_Resolution=Set MaxWorkItems to the recommended value, 1. MaxWorkItemsSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check OplockBreakWait value OplockBreakWaitSettingCheck_Title=OplockBreakWait should have the recommended value OplockBreakWaitSettingCheck_Problem=OplockBreakWait doesn't have the recommended value on this server. OplockBreakWaitSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. OplockBreakWaitSettingCheck_Resolution=Set OplockBreakWait to the recommended value, 35. OplockBreakWaitSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check PendingClientTimeoutInSeconds value PendingClientTimeoutInSecondsSettingCheck_Title=PendingClientTimeoutInSeconds should have the recommended value PendingClientTimeoutInSecondsSettingCheck_Problem=PendingClientTimeoutInSeconds doesn't have the recommended value on this server. PendingClientTimeoutInSecondsSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. PendingClientTimeoutInSecondsSettingCheck_Resolution=Set PendingClientTimeoutInSeconds to the recommended value, 120. PendingClientTimeoutInSecondsSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check SMB1 enabled Smb1SettingCheck_Title=The SMB 1.0 file sharing protocol should be enabled Smb1SettingCheck_Problem=The Server Message Block 1.0 (SMB 1.0) file sharing protocol is disabled on this file server. Smb1SettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. Smb1SettingCheck_Resolution=Use Registry Editor to enable the SMB 1.0 protocol. Smb1SettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check SMB2 enabled Smb2SettingCheck_Title=The SMB 2.0 file sharing protocol should be enabled Smb2SettingCheck_Problem=The Server Message Block 2.0 (SMB 2.0) file sharing protocol is disabled on this file server. Smb2SettingCheck_Impact=Client computers cannot communicate with the server by using the SMB 2.0 protocol. As a result, file transfers might be slower, the file server might not be able to service as many connections, and new functionality such as support for symbolic links or durable handles will not be available. Smb2SettingCheck_Resolution=Use Registry Editor to enable the SMB 2.0 protocol. Smb2SettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Smb2CreditsMax value Smb2CreditsMaxSettingCheck_Title=Smb2CreditsMax should have the recommended value Smb2CreditsMaxSettingCheck_Problem=Smb2CreditsMax doesn't have the recommended value on this server. Smb2CreditsMaxSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. Smb2CreditsMaxSettingCheck_Resolution=Set Smb2CreditsMax to the recommended value, 2048. Smb2CreditsMaxSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Smb2CreditsMin value Smb2CreditsMinSettingCheck_Title=Smb2CreditsMin should have the recommended value Smb2CreditsMinSettingCheck_Problem=Smb2CreditsMin doesn't have the recommended value on this server. Smb2CreditsMinSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. Smb2CreditsMinSettingCheck_Resolution=Set Smb2CreditsMin to the recommended value, 128. Smb2CreditsMinSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check SmbServerNameHardeningLevel value SmbServerNameHardeningLevelSettingCheck_Title=SmbServerNameHardeningLevel should have the recommended value SmbServerNameHardeningLevelSettingCheck_Problem=SmbServerNameHardeningLevel doesn't have the recommended value on this server. SmbServerNameHardeningLevelSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. SmbServerNameHardeningLevelSettingCheck_Resolution=Set SmbServerNameHardeningLevel to the recommended value, 0. SmbServerNameHardeningLevelSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check TreatHostAsStableStorage is disabled TreatHostAsStableStorageSettingCheck_Title=TreatHostAsStableStorage should be disabled TreatHostAsStableStorageSettingCheck_Problem=TreatHostAsStableStorage is enabled on this server. TreatHostAsStableStorageSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. TreatHostAsStableStorageSettingCheck_Resolution=Enable TreatHostAsStableStorage on this server. TreatHostAsStableStorageSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check ValidateAliasNotCircular is enabled ValidateAliasNotCircularSettingCheck_Title=ValidateAliasNotCircular should be enabled ValidateAliasNotCircularSettingCheck_Problem=ValidateAliasNotCircular is disabled on this server. ValidateAliasNotCircularSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. ValidateAliasNotCircularSettingCheck_Resolution=Enable ValidateAliasNotCircular on this server. ValidateAliasNotCircularSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check ValidateShareScope is enabled ValidateShareScopeSettingCheck_Title=ValidateShareScope should be enabled ValidateShareScopeSettingCheck_Problem=ValidateShareScope is disabled on this server. ValidateShareScopeSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. ValidateShareScopeSettingCheck_Resolution=Enable ValidateShareScope on this server. ValidateShareScopeSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check ValidateShareScopeNotAliased is enabled ValidateShareScopeNotAliasedSettingCheck_Title=ValidateShareScopeNotAliased should be enabled ValidateShareScopeNotAliasedSettingCheck_Problem=ValidateShareScopeNotAliased is disabled on this server. ValidateShareScopeNotAliasedSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. ValidateShareScopeNotAliasedSettingCheck_Resolution=Enable ValidateShareScopeNotAliased on this server. ValidateShareScopeNotAliasedSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check ValidateTargetName is enabled ValidateTargetNameSettingCheck_Title=ValidateTargetName should be enabled ValidateTargetNameSettingCheck_Problem=ValidateTargetName is disabled on this server. ValidateTargetNameSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. ValidateTargetNameSettingCheck_Resolution=Enable ValidateTargetName on this server. ValidateTargetNameSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check Client CA is enabled ClientCaSettingCheck_Title=Continuous availability should be enabled on this client ClientCaSettingCheck_Problem=Contionuous availability is disabled on this client. ClientCaSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. ClientCaSettingCheck_Resolution=Enable continuous availability on this client. ClientCaSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check ConnectionCountPerRssNetworkInterface value ConnectionCountPerRssNetworkInterfaceSettingCheck_Title=ConnectionCountPerRssNetworkInterface should have the recommended value ConnectionCountPerRssNetworkInterfaceSettingCheck_Problem=ConnectionCountPerRssNetworkInterface doesn't have the recommended value. ConnectionCountPerRssNetworkInterfaceSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. ConnectionCountPerRssNetworkInterfaceSettingCheck_Resolution=Set ConnectionCountPerRssNetworkInterface to the recommended value, 4. ConnectionCountPerRssNetworkInterfaceSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check DirectoryCacheEntriesMax value DirectoryCacheEntriesMaxSettingCheck_Title=DirectoryCacheEntriesMax should have the recommended value DirectoryCacheEntriesMaxSettingCheck_Problem=DirectoryCacheEntriesMax doesn't have the recommended value. DirectoryCacheEntriesMaxSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. DirectoryCacheEntriesMaxSettingCheck_Resolution=Set DirectoryCacheEntriesMax to the recommended value, 16. DirectoryCacheEntriesMaxSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check DirectoryCacheEntrySizeMax value DirectoryCacheEntrySizeMaxSettingCheck_Title=DirectoryCacheEntrySizeMax should have the recommended value DirectoryCacheEntrySizeMaxSettingCheck_Problem=DirectoryCacheEntrySizeMax doesn't have the recommended value. DirectoryCacheEntrySizeMaxSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. DirectoryCacheEntrySizeMaxSettingCheck_Resolution=Set DirectoryCacheEntrySizeMax to the recommended value, 65536. DirectoryCacheEntrySizeMaxSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check DirectoryCacheLifetime value DirectoryCacheLifetimeSettingCheck_Title=DirectoryCacheLifetime should have the recommended value DirectoryCacheLifetimeSettingCheck_Problem=DirectoryCacheLifetime doesn't have the recommended value. DirectoryCacheLifetimeSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. DirectoryCacheLifetimeSettingCheck_Resolution=Set DirectoryCacheLifetime to the recommended value, 10. DirectoryCacheLifetimeSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check BandwidthThrottling is enabled BandwidthThrottlingSettingCheck_Title=BandwidthThrottling should be enabled BandwidthThrottlingSettingCheck_Problem=BandwidthThrottling is disabled. BandwidthThrottlingSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. BandwidthThrottlingSettingCheck_Resolution=Enable BandwidthThrottling. BandwidthThrottlingSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check ByteRangeLockingOnReadOnlyFiles is enabled ByteRangeLockingOnReadOnlyFilesSettingCheck_Title=ByteRangeLockingOnReadOnlyFiles should be enabled ByteRangeLockingOnReadOnlyFilesSettingCheck_Problem=ByteRangeLockingOnReadOnlyFiles is disabled. ByteRangeLockingOnReadOnlyFilesSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. ByteRangeLockingOnReadOnlyFilesSettingCheck_Resolution=Enable ByteRangeLockingOnReadOnlyFiles. ByteRangeLockingOnReadOnlyFilesSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check LargeMtu is enabled LargeMtuSettingCheck_Title=LargeMtu should be enabled LargeMtuSettingCheck_Problem=LargeMtu is disabled. LargeMtuSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. LargeMtuSettingCheck_Resolution=Enable LargeMtu. LargeMtuSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check client MultiChannel is enabled ClientMultiChannelSettingCheck_Title=MultiChannel should be enabled on this client ClientMultiChannelSettingCheck_Problem=MultiChannel is disabled on this client. ClientMultiChannelSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. ClientMultiChannelSettingCheck_Resolution=Enable MultiChannel on this client. ClientMultiChannelSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check DormantFileLimit value DormantFileLimitSettingCheck_Title=DormantFileLimit should have the recommended value DormantFileLimitSettingCheck_Problem=DormantFileLimit doesn't have the recommended value. DormantFileLimitSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. DormantFileLimitSettingCheck_Resolution=Set DormantFileLimit to the recommended value, 1023. DormantFileLimitSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check ExtendedSessionTimeout value ExtendedSessionTimeoutSettingCheck_Title=ExtendedSessionTimeout should have the recommended value ExtendedSessionTimeoutSettingCheck_Problem=ExtendedSessionTimeout doesn't have the recommended value. ExtendedSessionTimeoutSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. ExtendedSessionTimeoutSettingCheck_Resolution=Set ExtendedSessionTimeout to the recommended value, 0. ExtendedSessionTimeoutSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check FileInfoCacheEntriesMax value FileInfoCacheEntriesMaxSettingCheck_Title=FileInfoCacheEntriesMax should have the recommended value FileInfoCacheEntriesMaxSettingCheck_Problem=FileInfoCacheEntriesMax doesn't have the recommended value. FileInfoCacheEntriesMaxSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. FileInfoCacheEntriesMaxSettingCheck_Resolution=Set FileInfoCacheEntriesMax to the recommended value, 64. FileInfoCacheEntriesMaxSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check FileInfoCacheLifetime value FileInfoCacheLifetimeSettingCheck_Title=FileInfoCacheLifetime should have the recommended value FileInfoCacheLifetimeSettingCheck_Problem=FileInfoCacheLifetime doesn't have the recommended value. FileInfoCacheLifetimeSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. FileInfoCacheLifetimeSettingCheck_Resolution=Set FileInfoCacheLifetime to the recommended value, 10. FileInfoCacheLifetimeSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check FileNotFoundCacheEntriesMax value FileNotFoundCacheEntriesMaxSettingCheck_Title=FileNotFoundCacheEntriesMax should have the recommended value FileNotFoundCacheEntriesMaxSettingCheck_Problem=FileNotFoundCacheEntriesMax doesn't have the recommended value. FileNotFoundCacheEntriesMaxSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. FileNotFoundCacheEntriesMaxSettingCheck_Resolution=Set FileNotFoundCacheEntriesMax to the recommended value, 128. FileNotFoundCacheEntriesMaxSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check FileNotFoundCacheLifetime value FileNotFoundCacheLifetimeSettingCheck_Title=FileNotFoundCacheLifetime should have the recommended value FileNotFoundCacheLifetimeSettingCheck_Problem=FileNotFoundCacheLifetime doesn't have the recommended value. FileNotFoundCacheLifetimeSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. FileNotFoundCacheLifetimeSettingCheck_Resolution=Set FileNotFoundCacheLifetime to the recommended value, 5. FileNotFoundCacheLifetimeSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check KeepConn value KeepConnSettingCheck_Title=KeepConn should have the recommended value KeepConnSettingCheck_Problem=KeepConn doesn't have the recommended value. KeepConnSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. KeepConnSettingCheck_Resolution=Set KeepConn to the recommended value, 600. KeepConnSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check MaxCmds value MaxCmdsSettingCheck_Title=MaxCmds should have the recommended value MaxCmdsSettingCheck_Problem=MaxCmds doesn't have the recommended value. MaxCmdsSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. MaxCmdsSettingCheck_Resolution=Set MaxCmds to the recommended value, 50. MaxCmdsSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check MaximumConnectionCountPerServer value MaximumConnectionCountPerServerSettingCheck_Title=MaximumConnectionCountPerServer should have the recommended value MaximumConnectionCountPerServerSettingCheck_Problem=MaximumConnectionCountPerServer doesn't have the recommended value. MaximumConnectionCountPerServerSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. MaximumConnectionCountPerServerSettingCheck_Resolution=Set MaximumConnectionCountPerServer to the recommended value, 8. MaximumConnectionCountPerServerSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check SessionTimeout value SessionTimeoutSettingCheck_Title=SessionTimeout should have the recommended value SessionTimeoutSettingCheck_Problem=SessionTimeout doesn't have the recommended value. SessionTimeoutSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. SessionTimeoutSettingCheck_Resolution=Set SessionTimeout to the recommended value, 45. SessionTimeoutSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check UseOpportunisticLocking is enabled UseOpportunisticLockingSettingCheck_Title=UseOpportunisticLocking should be enabled UseOpportunisticLockingSettingCheck_Problem=UseOpportunisticLocking is disabled. UseOpportunisticLockingSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. UseOpportunisticLockingSettingCheck_Resolution=Enable UseOpportunisticLocking. UseOpportunisticLockingSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check WindowSizeThreshold value WindowSizeThresholdSettingCheck_Title=WindowSizeThreshold should have the recommended value WindowSizeThresholdSettingCheck_Problem=WindowSizeThreshold doesn't have the recommended value. WindowSizeThresholdSettingCheck_Impact=SMB not in a default configuration, which could lead to less than optimal behavior. WindowSizeThresholdSettingCheck_Resolution=Set WindowSizeThreshold to the recommended value, 1. WindowSizeThresholdSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check for scoped shares that are not CA ShareCheck1_Title=Scoped shares should be continuously available ShareCheck1_Problem=At least one scoped share isn't continuously available. ShareCheck1_Impact=If a non CA share fails over to a different cluster node clients may lose unsaved data. ShareCheck1_Resolution=Set scoped shares to be continuously available. ShareCheck1_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check for not online shares ShareCheck2_Title=All shares should be online ShareCheck2_Problem=At least one share isn't online. ShareCheck2_Impact=Clients won't be able access to shares that aren't online. ShareCheck2_Resolution=Bring all shares online. ShareCheck2_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check for Scaleout and AccessBasedEnumeration shares ShareCheck3_Title=Scaleout shares shouldn't have FolderEnumerationMode = AccessBased ShareCheck3_Problem=At least one scale out share has FolderEnumerationMode = AccessBased. ShareCheck3_Impact=Access based enumeration may cause peformance issues for scale out shares. ShareCheck3_Resolution=Set scale out shares' FolderEnumerationMode to Unrestricted. ShareCheck3_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check for Scaleout and CachingMode != None shares ShareCheck4_Title=Scaleout shares should have CachingMode = None ShareCheck4_Problem=At least one scale out share doesn't have CachingMode = None. ShareCheck4_Impact=Scale out shares having a CachingMode value other than 'None' isn't supported. ShareCheck4_Resolution=Set scale out shares' CachingMode to None. ShareCheck4_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check for shares with limited concurrent users ShareCheck5_Title=Shares shouldn't have concurrent user limit ShareCheck5_Problem=At least one share has concurrent user limit. ShareCheck5_Impact=Some users may not be able to access the share if the concurrent user limit is reached. ShareCheck5_Resolution=Set concurrent user limit to 0 which means there's no limit. ShareCheck5_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check for shares with aggressive CATimeout ShareCheck6_Title=Shares should have CATimeout value >= 25 ShareCheck6_Problem=At least one share has a CATimeout value < 25. ShareCheck6_Impact=Clients may lose unsaved data if a failover takes longer than expected. ShareCheck6_Resolution=Set CATimeout to a value >=25. ShareCheck6_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # Rdma & Signing check RdmaAndSigningSettingCheck_Title=Systems with RDMA NICs shouldn't have encryption or signing enabled RdmaAndSigningSettingCheck_Problem=Either signing or Encryption is used in this server which has RDMA NIC(s). RdmaAndSigningSettingCheck_Impact=Having signing or encryption enabled may significantly degrade RDMA performance. RdmaAndSigningSettingCheck_Resolution=Turn off signing and encryption to get best performance from SmbDirect. RdmaAndSigningSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check DOS detection setting DOSDetectionSettingCheck_Title=Denial of service detection should be enabled DOSDetectionSettingCheck_Problem=Denial of service detection for the Server service is disabled. DOSDetectionSettingCheck_Impact=The server will not be able to detect patterns of Server Message Block (SMB)-based communications that indicate that a malicious user is attempting a denial of service attack. DOSDetectionSettingCheck_Resolution=If appropriate for your environment, use Registry Editor to enable denial of service detection. DOSDetectionSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check 8.3 name creation setting 8Dot3NameCreationSettingCheck_Title=Short file name creation should be disabled 8Dot3NameCreationSettingCheck_Problem=In addition to the normal file names, the server is creating short, eight-character file names with a three-character file extension (8.3 file names) for all files. 8Dot3NameCreationSettingCheck_Impact=Creating short file names in addition to the normal, long file names can significantly decrease file server performance. 8Dot3NameCreationSettingCheck_Resolution=Disable short file name creation unless short file names are required by legacy applications. 8Dot3NameCreationSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check port 139 and 445 enabled PortEnabledCheck_Title=File and printer sharing ports should be open PortEnabledCheck_Problem=The firewall ports necessary for file and printer sharing are not open (ports 445 and 139). PortEnabledCheck_Impact=Computers will not be able to access shared folders and other Server Message Block (SMB)-based network services on this server. PortEnabledCheck_Resolution=Enable File and Printer Sharing to communicate through the computer's firewall. PortEnabledCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check TCPTablePartitions registry setting NumTCPTablePartitionsSettingCheck_Title=No registry setting for tuning the number of TCP table partitions in TCP/IP should exist NumTCPTablePartitionsSettingCheck_Problem=The registry setting for tuning the number of TCP table partitions in TCP/IP is enabled on this server. NumTCPTablePartitionsSettingCheck_Impact=This registry setting is ignored by this version of Windows and is consuming a small amount of extra space in the registry. NumTCPTablePartitionsSettingCheck_Resolution=Use Registry Editor to delete the registry setting. NumTCPTablePartitionsSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check TCPWindowSize registry setting TCPWindowSizeSettingCheck_Title=No registry setting for tuning the TCP window size in TCP/IP should exist TCPWindowSizeSettingCheck_Problem=The registry setting for tuning the TCP window size in TCP/IP is enabled on this server. TCPWindowSizeSettingCheck_Impact=This registry setting is ignored by this version of Windows and is consuming a small amount of extra space in the registry. TCPWindowSizeSettingCheck_Resolution=Use Registry Editor to delete the registry setting. TCPWindowSizeSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check MaxHashTableSize registry setting MaxHashTableSizeSettingCheck_Title=No registry setting for tuning the MaxHashTableSize in TCP/IP should exist MaxHashTableSizeSettingCheck_Problem=The registry setting for tuning the MaxHashTableSize in TCP/IP is enabled on this server. MaxHashTableSizeSettingCheck_Impact=This registry setting is ignored by this version of Windows and is consuming a small amount of extra space in the registry. MaxHashTableSizeSettingCheck_Resolution=Use Registry Editor to delete the registry setting. MaxHashTableSizeSettingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check NIC team member link speed NICTeamMemberLinkSpeedCheck_Title=Network adapters that have different link speeds should not be teamed NICTeamMemberLinkSpeedCheck_Problem=Some NIC teams are formed by network adapters of different link speeds. NICTeamMemberLinkSpeedCheck_Impact=Network performance may be degraded since the load distribution algorithm does not account for different interface bandwidth capabilities. NICTeamMemberLinkSpeedCheck_Resolution=Always team network adapters that have the same link speed. NICTeamMemberLinkSpeedCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check NIC team member DCB setting NICTeamMemberDcbCheck_Title=Quality of Service (QoS) should be enabled consistently on network adapters that are members of a NIC team NICTeamMemberDcbCheck_Problem=QoS is enabled on some member network adapters, but not on other members. NICTeamMemberDcbCheck_Impact=Bandwidth enforcement per workload may not work since QoS is not enabled on all network adapters. NICTeamMemberDcbCheck_Resolution=Enable QoS with PowerShell cmdlet: Enable-NetAdapterQos, or in the network adapter Advanced Properties. NICTeamMemberDcbCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check NIC Checksum Offload setting NICChecksumOffloadCheck_Title=Enable Checksum Offload on a network adapter NICChecksumOffloadCheck_Problem=Some network adapters are capable of Checksum Offload, but the capability is disabled. NICChecksumOffloadCheck_Impact=Windows system performance may be degraded since TCP/IP checksum calculations are not being offloaded from the CPU to the network adapter. NICChecksumOffloadCheck_Resolution=Enable Checksum Offload with PowerShell cmdlet: Enable-NetAdapterChecksumOffload, or in the network adapter Advanced Properties. NICChecksumOffloadCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check NIC LSO setting NICLargeSendOffloadCheck_Title=Enable Large Send Offload (LSO) on a network adapter NICLargeSendOffloadCheck_Problem=Some network adapters are capable of LSO, but the capability is disabled. NICLargeSendOffloadCheck_Impact=Windows system performance may be degraded since link utilization for transmission, and CPU utilization is not optimized. NICLargeSendOffloadCheck_Resolution=Enable LSO with PowerShell cmdlet: Enable-NetAdapterLso, or in the network adapter Advanced Properties. NICLargeSendOffloadCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check NIC IPsec TO setting NICIPsecTaskOffloadCheck_Title=Enable IPsec Task Offload v2 (TOv2) on a network adapter NICIPsecTaskOffloadCheck_Problem=Some network adapters are capable of IPsec TOv2, but the capability is disabled. NICIPsecTaskOffloadCheck_Impact=Networking performance may be degraded, and the CPU may be over-utilized since they are not optimized. NICIPsecTaskOffloadCheck_Resolution=Enable IPsec TOv2 with PowerShell cmdlet: Enable-NetAdapterIPsecOffload, or in the network adapter Advanced Properties. NICIPsecTaskOffloadCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check NIC RSS setting NICReceiveSideScalingCheck_Title=Enable Receive Side Scaling (RSS) on a network adapter NICReceiveSideScalingCheck_Problem=Some network adapters are capable of RSS, but the capability is disabled. NICReceiveSideScalingCheck_Impact=Windows networking subsystem performance may be degraded since it is not configured to use multi-core and many-core processor architecture. NICReceiveSideScalingCheck_Resolution=Enable RSS with PowerShell cmdlet: Enable-NetAdapterRss, or in the network adapter Advanced Properties. NICReceiveSideScalingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check NIC RSC setting NICReceiveSideCoalescingCheck_Title=Enable Receive Side Coalescing (RSC) on a network adapter NICReceiveSideCoalescingCheck_Problem=Some network adapters are capable of RSC, but the capability is disabled. NICReceiveSideCoalescingCheck_Impact=Windows networking subsystem performance may be degraded since it is not configured to use the network adapter to increase TCP/IP processing efficiency. NICReceiveSideCoalescingCheck_Resolution=Enable RSC with PowerShell cmdlet: Enable-NetAdapterRsc, or in the network adapter Advanced Properties. NICReceiveSideCoalescingCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check cluster-wide SMB server configuration consistency ClusterSmbConfigConsistencyCheck_Title=Smb server configuration should be consistent across cluster node ClusterSmbConfigConsistencyCheck_Problem=At least one smb server configuration isn't consistent across cluster nodes. ClusterSmbConfigConsistencyCheck_Impact=Having inconsistent smb server configuration across cluster nodes may cause performance and other issues. ClusterSmbConfigConsistencyCheck_Resolution=Make sure smb server configuration is consistent across all cluster nodes. ClusterSmbConfigConsistencyCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. # check SMB S4U2Self user claim retrieval settings consistency with Kerberos setting to locate a Windows 8 DC SMBS4U2SelfAndKerberosConsistencyCheck_Title=The SMB configuration for retrieving user claims on behalf of the user should be consistent with the Kerberos capabilities for the domain so that it can locate a claims-aware Windows Server 2012 domain controller when the domain supports claims SMBS4U2SelfAndKerberosConsistencyCheck_Problem=SMB is configured to retrieve claims on behalf of the user when claims are not provided by the user, but Kerberos authentication is not configured to request claims. SMBS4U2SelfAndKerberosConsistencyCheck_Impact=SMB will continue the logon process without user claims, and any file access requests that require user claims will be denied. SMBS4U2SelfAndKerberosConsistencyCheck_Resolution=To enable Kerberos authentication to request claims on behalf of the user on this server, configure the 'Kerberos client support for claims, compound authentication and Kerberos armoring' Group Policy setting in 'Computer Configuration\\Administrative Templates\\System\\Kerberos'. SMBS4U2SelfAndKerberosConsistencyCheck_Compliant=The File Server Best Practices Analyzer scan has determined that you are in compliance with this best practice. '@ } Import-LocalizedData -BindingVariable _system_translations -filename SMB.psd1 $windir = $env:Windir . $windir\System32\BestPractices\v1.0\Models\Microsoft\Windows\FileServices\fscommon.ps1 # # ------------------ # FUNCTIONS - START # ------------------ # # # Function Description: # # This function will update the XML document with SMB data # # Arguments: # # $xmlDoc - XmlDocument manipulated # $ns - namespace used for the element # # Return Value: # # none # function GetSMBXml($xmlDoc, $ns) { trap { write-error $error[0] continue } import-module SmbShare #Create SMB node $smbNode = $xmlDoc.CreateElement("SMB", $ns) [void]$xmlDoc.DocumentElement.AppendChild($smbNode) $computerName = [System.Net.Dns]::GetHostName() $path = "HKLM:\SYSTEM\CurrentControlSet\Services" $services = get-item -path $path # # Some of these services/drivers (like RKF) may be legitimately non existent on the server so we don't trigger a warning by default for them. # $isLanmanServerStartTypeAuto = $false $isSrvStartTypeOnDemand = $false $isSrv2StartTypeOnDemand = $false $isSrvnetStartTypeOnDemand = $false $isSmbWitnessStartTypeOnDemand = $true $isResumeKeyFilterStartTypeAuto = $true $isLanmanWorkstationStartTypeAuto = $false $isMrxsmb20StartTypeOnDemand = $false $isRdbssStartTypeSystem = $false $isMupStartTypeBoot = $false $isSmbDirectStartTypeOnDemand = $true # # Service/driver status. # Some of these services/drivers (like RKF) may be legitimately non existent on the server so we don't trigger a warning by default for them. # $isLanmanServerRunning = $false $isSrvRunning = $false $isSrv2Running = $false $isSrvnetRunning = $false $isSmbWitnessRunningOrStopped = $true $isResumeKeyFilterRunning = $true $isWorkStationServiceRunning = $false $isMrxsmb20Running = $false $isRdbssRunning = $false $isMupRunning = $false $isSmbDirectRunningOrStopped = $true Foreach ($subkey in $services.GetSubKeyNames()) { $prop = get-itemproperty -path "$path\$subkey" if( $subkey -eq 'LanmanServer' ) { if( $prop.Start -eq 2 ) {$isLanmanServerStartTypeAuto = $true} else {$isLanmanServerStartTypeAuto = $false} $service = get-service $subkey if( $service.Status.ToString() -eq "Running" ) {$isLanmanServerRunning = $true} } elseif( $subkey -eq 'Srv' ) { if( $prop.Start -eq 3 ) {$isSrvStartTypeOnDemand = $true} else {$isSrvStartTypeOnDemand = $false} $service = get-service $subkey if( $service.Status.ToString() -eq "Running" ) {$isSrvRunning = $true} } elseif( $subkey -eq 'Srv2' ) { if( $prop.Start -eq 3 ) {$isSrv2StartTypeOnDemand = $true} else {$isSrv2StartTypeOnDemand = $false} $service = get-service $subkey if( $service.Status.ToString() -eq "Running" ) {$isSrv2Running = $true} } elseif( $subkey -eq 'Srvnet' ) { if( $prop.Start -eq 3 ) {$isSrvnetStartTypeOnDemand = $true} else {$isSrvnetStartTypeOnDemand = $false} $service = get-service $subkey if( $service.Status.ToString() -eq "Running" ) {$isSrvnetRunning = $true} } elseif( $subkey -eq 'SmbWitness' ) { if( $prop.Start -eq 3 ) {$isSmbWitnessStartTypeOnDemand = $true} else {$isSmbWitnessStartTypeOnDemand = $false} $service = get-service $subkey if( ($service.Status.ToString() -eq "Running") -or ($service.Status.ToString() -eq "Stopped")) {$isSmbWitnessRunningOrStopped = $true} else {$isSmbWitnessRunningOrStopped = $false} } elseif( $subkey -eq 'ResumeKeyFilter' ) { if( $prop.Start -eq 2 ) {$isResumeKeyFilterStartTypeAuto = $true} else {$isResumeKeyFilterStartTypeAuto = $false} $service = get-service $subkey if( $service.Status.ToString() -eq "Running" ) {$isResumeKeyFilterRunning = $true} else {$isResumeKeyFilterRunning = $false} } elseif( $subkey -eq 'LanmanWorkstation' ) { if( $prop.Start -eq 2 ) {$isLanmanWorkstationStartTypeAuto = $true} else {$isLanmanWorkstationStartTypeAuto = $false} $service = get-service $subkey if( $service.Status.ToString() -eq "Running" ) {$isWorkStationServiceRunning = $true} } elseif( $subkey -eq 'Mrxsmb20' ) { if( $prop.Start -eq 3 ) {$isMrxsmb20StartTypeOnDemand = $true} else {$isMrxsmb20StartTypeOnDemand = $false} $service = get-service $subkey if( $service.Status.ToString() -eq "Running" ) {$isMrxsmb20Running = $true} } elseif( $subkey -eq 'Rdbss' ) { if( $prop.Start -eq 1 ) {$isRdbssStartTypeSystem = $true} else {$isRdbssStartTypeSystem = $false} $service = get-service $subkey if( $service.Status.ToString() -eq "Running" ) {$isRdbssRunning = $true} } elseif( $subkey -eq 'Mup' ) { if( $prop.Start -eq 0 ) {$isMupStartTypeBoot = $true} else {$isMupStartTypeBoot = $false} $service = get-service $subkey if( $service.Status.ToString() -eq "Running" ) {$isMupRunning = $true} } elseif( $subkey -eq 'SmbDirect' ) { if( $prop.Start -eq 3 ) {$isSmbDirectStartTypeOnDemand = $true} else {$isSmbDirectStartTypeOnDemand = $false} $service = get-service $subkey if( $service.Status.ToString() -eq "Running" -or $service.Status.ToString() -eq "Stopped" ) {$isSmbDirectRunningOrStopped = $true} else {$isSmbDirectRunningOrStopped = $false} } } Append-XmlElement $xmlDoc $smbNode $ns "IsLanmanServerStartTypeAuto" (Formalize-BoolValue $isLanmanServerStartTypeAuto) Append-XmlElement $xmlDoc $smbNode $ns "IsSrvStartTypeOnDemand" (Formalize-BoolValue $isSrvStartTypeOnDemand) Append-XmlElement $xmlDoc $smbNode $ns "IsSrv2StartTypeOnDemand" (Formalize-BoolValue $isSrv2StartTypeOnDemand) Append-XmlElement $xmlDoc $smbNode $ns "IsSrvnetStartTypeOnDemand" (Formalize-BoolValue $isSrvnetStartTypeOnDemand) Append-XmlElement $xmlDoc $smbNode $ns "IsSmbWitnessStartTypeOnDemand" (Formalize-BoolValue $isSmbWitnessStartTypeOnDemand) Append-XmlElement $xmlDoc $smbNode $ns "IsResumeKeyFilterStartTypeAuto" (Formalize-BoolValue $isResumeKeyFilterStartTypeAuto) Append-XmlElement $xmlDoc $smbNode $ns "IsLanmanWorkstationStartTypeAuto" (Formalize-BoolValue $isLanmanWorkstationStartTypeAuto) Append-XmlElement $xmlDoc $smbNode $ns "IsMrxsmb20StartTypeOnDemand" (Formalize-BoolValue $isMrxsmb20StartTypeOnDemand) Append-XmlElement $xmlDoc $smbNode $ns "IsRdbssStartTypeSystem" (Formalize-BoolValue $isRdbssStartTypeSystem) Append-XmlElement $xmlDoc $smbNode $ns "IsMupStartTypeBoot" (Formalize-BoolValue $isMupStartTypeBoot) Append-XmlElement $xmlDoc $smbNode $ns "IsSmbDirectStartTypeOnDemand" (Formalize-BoolValue $isSmbDirectStartTypeOnDemand) Append-XmlElement $xmlDoc $smbNode $ns "IsLanmanServerRunning" (Formalize-BoolValue $isLanmanServerRunning) Append-XmlElement $xmlDoc $smbNode $ns "IsSrvRunning" (Formalize-BoolValue $isSrvRunning) Append-XmlElement $xmlDoc $smbNode $ns "IsSrv2Running" (Formalize-BoolValue $isSrv2Running) Append-XmlElement $xmlDoc $smbNode $ns "IsSrvnetRunning" (Formalize-BoolValue $isSrvnetRunning) Append-XmlElement $xmlDoc $smbNode $ns "IsSmbWitnessRunningOrStopped" (Formalize-BoolValue $isSmbWitnessRunningOrStopped) Append-XmlElement $xmlDoc $smbNode $ns "IsResumeKeyFilterRunning" (Formalize-BoolValue $isResumeKeyFilterRunning) Append-XmlElement $xmlDoc $smbNode $ns "IsWorkstationServiceRunning" (Formalize-BoolValue $isWorkStationServiceRunning) Append-XmlElement $xmlDoc $smbNode $ns "IsMrxsmb20Running" (Formalize-BoolValue $isMrxsmb20Running) Append-XmlElement $xmlDoc $smbNode $ns "IsRdbssRunning" (Formalize-BoolValue $isRdbssRunning) Append-XmlElement $xmlDoc $smbNode $ns "IsMupRunning" (Formalize-BoolValue $isMupRunning) Append-XmlElement $xmlDoc $smbNode $ns "IsSmbDirectRunningOrStopped" (Formalize-BoolValue $isSmbDirectRunningOrStopped) # # Check server configurations # $smbServerConfiguration = Get-SmbServerConfiguration if( $smbServerConfiguration.AnnounceServer -eq $false ) { $isAnnounceServerSettingCorrect = $true } else { $isAnnounceServerSettingCorrect = $false } if( $smbServerConfiguration.AsynchronousCredits -eq 64 ) { $isAsynchronousCreditsSettingCorrect = $true } else { $isAsynchronousCreditsSettingCorrect = $false } if( $smbServerConfiguration.AutoShareServer -eq $true ) { $isAutoShareServerSettingCorrect = $true } else { $isAutoShareServerSettingCorrect = $false } if( $smbServerConfiguration.AutoShareWorkstation -eq $true ) { $isAutoShareWorkstationSettingCorrect = $true } else { $isAutoShareWorkstationSettingCorrect = $false } if( $smbServerConfiguration.CachedOpenLimit -eq 5 ) { $isCachedOpenLimitSettingCorrect = $true } else { $isCachedOpenLimitSettingCorrect = $false } if( $smbServerConfiguration.EnableDownlevelTimewarp -eq $false ) { $isEnableDownlevelTimewarpSettingCorrect = $true } else { $isEnableDownlevelTimewarpSettingCorrect = $false } if( $smbServerConfiguration.EnableLeasing -eq $true ) { $isEnableLeasingSettingCorrect = $true } else { $isEnableLeasingSettingCorrect = $false } if( $smbServerConfiguration.EnableMultiChannel -eq $true ) { $isEnableMultiChannelSettingCorrect = $true } else { $isEnableMultiChannelSettingCorrect = $false } if( $smbServerConfiguration.EnableStrictNameChecking -eq $true ) { $isEnableStrictNameCheckingSettingCorrect = $true } else { $isEnableStrictNameCheckingSettingCorrect = $false } if( $smbServerConfiguration.AutoDisconnectTimeout -eq 0 ) { $isAutoDisconnectTimeoutSettingCorrect = $true } else { $isAutoDisconnectTimeoutSettingCorrect = $false } if( $smbServerConfiguration.DurableHandleV2TimeoutInSeconds -eq 30 ) { $isDurableHandleV2TimeoutInSecondsSettingCorrect = $true } else { $isDurableHandleV2TimeoutInSecondsSettingCorrect = $false } if( $smbServerConfiguration.EnableAuthenticateUserSharing -eq $false ) { $isEnableAuthenticateUserSharingSettingCorrect = $true } else { $isEnableAuthenticateUserSharingSettingCorrect = $false } if( $smbServerConfiguration.EnableForcedLogoff -eq $true ) { $isEnableForcedLogoffSettingCorrect = $true } else { $isEnableForcedLogoffSettingCorrect = $false } if( $smbServerConfiguration.EnableOplocks -eq $true ) { $isEnableOplocksSettingCorrect = $true } else { $isEnableOplocksSettingCorrect = $false } if( $smbServerConfiguration.ServerHidden -eq $true ) { $isServerHiddenSettingCorrect = $true } else { $isServerHiddenSettingCorrect = $false } if( $smbServerConfiguration.IrpStackSize -eq 15 ) { $isIrpStackSizeSettingCorrect = $true } else { $isIrpStackSizeSettingCorrect = $false } if( $smbServerConfiguration.KeepAliveTime -eq 2 ) { $isKeepAliveTimeSettingCorrect = $true } else { $isKeepAliveTimeSettingCorrect = $false } if( $smbServerConfiguration.MaxChannelPerSession -eq 32 ) { $isMaxChannelPerSessionSettingCorrect = $true } else { $isMaxChannelPerSessionSettingCorrect = $false } if( $smbServerConfiguration.MaxMpxCount -eq 50 ) { $isMaxMpxCountSettingCorrect = $true } else { $isMaxMpxCountSettingCorrect = $false } if( $smbServerConfiguration.MaxSessionPerConnection -eq 16384 ) { $isMaxSessionPerConnectionSettingCorrect = $true } else { $isMaxSessionPerConnectionSettingCorrect = $false } if( $smbServerConfiguration.MaxThreadsPerQueue -eq 20 ) { $isMaxThreadsPerQueueSettingCorrect = $true } else { $isMaxThreadsPerQueueSettingCorrect = $false } if( $smbServerConfiguration.MaxWorkItems -eq 1 ) { $isMaxWorkItemsSettingCorrect = $true } else { $isMaxWorkItemsSettingCorrect = $false } if( $smbServerConfiguration.OplockBreakWait -eq 35 ) { $isOplockBreakWaitSettingCorrect = $true } else { $isOplockBreakWaitSettingCorrect = $false } if( $smbServerConfiguration.PendingClientTimeoutInSeconds -eq 120 ) { $isPendingClientTimeoutInSecondsSettingCorrect = $true } else { $isPendingClientTimeoutInSecondsSettingCorrect = $false } if( $smbServerConfiguration.EnableSMB1Protocol -eq $true ) { $isEnableSMB1ProtocolSettingCorrect = $true } else { $isEnableSMB1ProtocolSettingCorrect = $false } if( $smbServerConfiguration.EnableSMB2Protocol -eq $true ) { $isEnableSMB2ProtocolSettingCorrect = $true } else { $isEnableSMB2ProtocolSettingCorrect = $false } if( $smbServerConfiguration.Smb2CreditsMax -eq 2048 ) { $isSmb2CreditsMaxSettingCorrect = $true } else { $isSmb2CreditsMaxSettingCorrect = $false } if( $smbServerConfiguration.Smb2CreditsMin -eq 128 ) { $isSmb2CreditsMinSettingCorrect = $true } else { $isSmb2CreditsMinSettingCorrect = $false } if( $smbServerConfiguration.SmbServerNameHardeningLevel -eq 0 ) { $isSmbServerNameHardeningLevelSettingCorrect = $true } else { $isSmbServerNameHardeningLevelSettingCorrect = $false } if( $smbServerConfiguration.TreatHostAsStableStorage -eq $false ) { $isTreatHostAsStableStorageSettingCorrect = $true } else { $isTreatHostAsStableStorageSettingCorrect = $false } if( $smbServerConfiguration.ValidateAliasNotCircular -eq $true ) { $isValidateAliasNotCircularSettingCorrect = $true } else { $isValidateAliasNotCircularSettingCorrect = $false } if( $smbServerConfiguration.ValidateShareScope -eq $true ) { $isValidateShareScopeSettingCorrect = $true } else { $isValidateShareScopeSettingCorrect = $false } if( $smbServerConfiguration.ValidateShareScopeNotAliased -eq $true ) { $isValidateShareScopeNotAliasedSettingCorrect = $true } else { $isValidateShareScopeNotAliasedSettingCorrect = $false } if( $smbServerConfiguration.ValidateTargetName -eq $true ) { $isValidateTargetNameSettingCorrect = $true } else { $isValidateTargetNameSettingCorrect = $false } Append-XmlElement $xmlDoc $smbNode $ns "IsAnnounceServerSettingCorrect" (Formalize-BoolValue $isAnnounceServerSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsAsynchronousCreditsSettingCorrect" (Formalize-BoolValue $isAsynchronousCreditsSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsAutoShareServerSettingCorrect" (Formalize-BoolValue $isAutoShareServerSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsAutoShareWorkstationSettingCorrect" (Formalize-BoolValue $isAutoShareWorkstationSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsCachedOpenLimitSettingCorrect" (Formalize-BoolValue $isCachedOpenLimitSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsEnableDownlevelTimewarpSettingCorrect" (Formalize-BoolValue $isEnableDownlevelTimewarpSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsEnableLeasingSettingCorrect" (Formalize-BoolValue $isEnableLeasingSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsEnableMultiChannelSettingCorrect" (Formalize-BoolValue $isEnableMultiChannelSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsEnableStrictNameCheckingSettingCorrect" (Formalize-BoolValue $isEnableStrictNameCheckingSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsAutoDisconnectTimeoutSettingCorrect" (Formalize-BoolValue $isAutoDisconnectTimeoutSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsDurableHandleV2TimeoutInSecondsSettingCorrect" (Formalize-BoolValue $isDurableHandleV2TimeoutInSecondsSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsEnableAuthenticateUserSharingSettingCorrect" (Formalize-BoolValue $isEnableAuthenticateUserSharingSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsEnableForcedLogoffSettingCorrect" (Formalize-BoolValue $isEnableForcedLogoffSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsEnableOplocksSettingCorrect" (Formalize-BoolValue $isEnableOplocksSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsServerHiddenSettingCorrect" (Formalize-BoolValue $isServerHiddenSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsIrpStackSizeSettingCorrect" (Formalize-BoolValue $isIrpStackSizeSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsKeepAliveTimeSettingCorrect" (Formalize-BoolValue $isKeepAliveTimeSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsMaxChannelPerSessionSettingCorrect" (Formalize-BoolValue $isMaxChannelPerSessionSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsMaxMpxCountSettingCorrect" (Formalize-BoolValue $isMaxMpxCountSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsMaxSessionPerConnectionSettingCorrect" (Formalize-BoolValue $isMaxSessionPerConnectionSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsMaxThreadsPerQueueSettingCorrect" (Formalize-BoolValue $isMaxThreadsPerQueueSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsMaxWorkItemsSettingCorrect" (Formalize-BoolValue $isMaxWorkItemsSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsOplockBreakWaitSettingCorrect" (Formalize-BoolValue $isOplockBreakWaitSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsPendingClientTimeoutInSecondsSettingCorrect" (Formalize-BoolValue $isPendingClientTimeoutInSecondsSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsEnableSMB1ProtocolSettingCorrect" (Formalize-BoolValue $isEnableSMB1ProtocolSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsEnableSMB2ProtocolSettingCorrect" (Formalize-BoolValue $isEnableSMB2ProtocolSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsSmb2CreditsMaxSettingCorrect" (Formalize-BoolValue $isSmb2CreditsMaxSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsSmb2CreditsMinSettingCorrect" (Formalize-BoolValue $isSmb2CreditsMinSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsSmbServerNameHardeningLevelSettingCorrect" (Formalize-BoolValue $isSmbServerNameHardeningLevelSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsTreatHostAsStableStorageSettingCorrect" (Formalize-BoolValue $isTreatHostAsStableStorageSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsValidateAliasNotCircularSettingCorrect" (Formalize-BoolValue $isValidateAliasNotCircularSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsValidateShareScopeSettingCorrect" (Formalize-BoolValue $isValidateShareScopeSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsValidateShareScopeNotAliasedSettingCorrect" (Formalize-BoolValue $isValidateShareScopeNotAliasedSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsValidateTargetNameSettingCorrect" (Formalize-BoolValue $isValidateTargetNameSettingCorrect) # # Check client configurations # $smbClientConfiguration = Get-SmbClientConfiguration if( $smbClientConfiguration.ConnectionCountPerRssNetworkInterface -eq 4 ) { $isConnectionCountPerRssNetworkInterfaceSettingCorrect = $true } else { $isConnectionCountPerRssNetworkInterfaceSettingCorrect = $false } if( $smbClientConfiguration.DirectoryCacheEntriesMax -eq 16 ) { $isDirectoryCacheEntriesMaxSettingCorrect = $true } else { $isDirectoryCacheEntriesMaxSettingCorrect = $false } if( $smbClientConfiguration.DirectoryCacheEntrySizeMax -eq 65536 ) { $isDirectoryCacheEntrySizeMaxSettingCorrect = $true } else { $isDirectoryCacheEntrySizeMaxSettingCorrect = $false } if( $smbClientConfiguration.DirectoryCacheLifetime -eq 10 ) { $isDirectoryCacheLifetimeSettingCorrect = $true } else { $isDirectoryCacheLifetimeSettingCorrect = $false } if( $smbClientConfiguration.EnableBandwidthThrottling -eq $TRUE ) { $isEnableBandwidthThrottlingSettingCorrect = $true } else { $isEnableBandwidthThrottlingSettingCorrect = $false } if( $smbClientConfiguration.EnableByteRangeLockingOnReadOnlyFiles -eq $TRUE ) { $isEnableByteRangeLockingOnReadOnlyFilesSettingCorrect = $true } else { $isEnableByteRangeLockingOnReadOnlyFilesSettingCorrect = $false } if( $smbClientConfiguration.EnableLargeMtu -eq $TRUE ) { $isEnableLargeMtuSettingCorrect = $true } else { $isEnableLargeMtuSettingCorrect = $false } if( $smbClientConfiguration.EnableMultiChannel -eq $TRUE ) { $isClientEnableMultiChannelSettingCorrect = $true } else { $isClientEnableMultiChannelSettingCorrect = $false } if( $smbClientConfiguration.DormantFileLimit -eq 1023 ) { $isDormantFileLimitSettingCorrect = $true } else { $isDormantFileLimitSettingCorrect = $false } if( $smbClientConfiguration.ExtendedSessionTimeout -eq 1000 ) { $isExtendedSessionTimeoutSettingCorrect = $true } else { $isExtendedSessionTimeoutSettingCorrect = $false } if( $smbClientConfiguration.FileInfoCacheEntriesMax -eq 64 ) { $isFileInfoCacheEntriesMaxSettingCorrect = $true } else { $isFileInfoCacheEntriesMaxSettingCorrect = $false } if( $smbClientConfiguration.FileInfoCacheLifetime -eq 10 ) { $isFileInfoCacheLifetimeSettingCorrect = $true } else { $isFileInfoCacheLifetimeSettingCorrect = $false } if( $smbClientConfiguration.FileNotFoundCacheEntriesMax -eq 128 ) { $isFileNotFoundCacheEntriesMaxSettingCorrect = $true } else { $isFileNotFoundCacheEntriesMaxSettingCorrect = $false } if( $smbClientConfiguration.FileNotFoundCacheLifetime -eq 5 ) { $isFileNotFoundCacheLifetimeSettingCorrect = $true } else { $isFileNotFoundCacheLifetimeSettingCorrect = $false } if( $smbClientConfiguration.KeepConn -eq 600 ) { $isKeepConnSettingCorrect = $true } else { $isKeepConnSettingCorrect = $false } if( $smbClientConfiguration.MaxCmds -eq 50 ) { $isMaxCmdsSettingCorrect = $true } else { $isMaxCmdsSettingCorrect = $false } if( $smbClientConfiguration.MaximumConnectionCountPerServer -eq 32 ) { $isMaximumConnectionCountPerServerSettingCorrect = $true } else { $isMaximumConnectionCountPerServerSettingCorrect = $false } if( $smbClientConfiguration.OplocksDisabled -eq $FALSE ) { $isOplocksDisabledSettingCorrect = $true } else { $isOplocksDisabledSettingCorrect = $false } if( $smbClientConfiguration.SessionTimeout -eq 60 ) { $isSessionTimeoutSettingCorrect = $true } else { $isSessionTimeoutSettingCorrect = $false } if( $smbClientConfiguration.UseOpportunisticLocking -eq $TRUE ) { $isUseOpportunisticLockingSettingCorrect = $true } else { $isUseOpportunisticLockingSettingCorrect = $false } if( $smbClientConfiguration.WindowSizeThreshold -eq 1 ) { $isWindowSizeThresholdSettingCorrect = $true } else { $isWindowSizeThresholdSettingCorrect = $false } Append-XmlElement $xmlDoc $smbNode $ns "IsConnectionCountPerRssNetworkInterfaceSettingCorrect" (Formalize-BoolValue $isConnectionCountPerRssNetworkInterfaceSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsDirectoryCacheEntriesMaxSettingCorrect" (Formalize-BoolValue $isDirectoryCacheEntriesMaxSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsDirectoryCacheEntrySizeMaxSettingCorrect" (Formalize-BoolValue $isDirectoryCacheEntrySizeMaxSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsDirectoryCacheLifetimeSettingCorrect" (Formalize-BoolValue $isDirectoryCacheLifetimeSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsEnableBandwidthThrottlingSettingCorrect" (Formalize-BoolValue $isEnableBandwidthThrottlingSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsEnableByteRangeLockingOnReadOnlyFilesSettingCorrect" (Formalize-BoolValue $isEnableByteRangeLockingOnReadOnlyFilesSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsEnableLargeMtuSettingCorrect" (Formalize-BoolValue $isEnableLargeMtuSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsClientEnableMultiChannelSettingCorrect" (Formalize-BoolValue $isClientEnableMultiChannelSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsDormantFileLimitSettingCorrect" (Formalize-BoolValue $isDormantFileLimitSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsExtendedSessionTimeoutSettingCorrect" (Formalize-BoolValue $isExtendedSessionTimeoutSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsFileInfoCacheEntriesMaxSettingCorrect" (Formalize-BoolValue $isFileInfoCacheEntriesMaxSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsFileInfoCacheLifetimeSettingCorrect" (Formalize-BoolValue $isFileInfoCacheLifetimeSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsFileNotFoundCacheEntriesMaxSettingCorrect" (Formalize-BoolValue $isFileNotFoundCacheEntriesMaxSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsFileNotFoundCacheLifetimeSettingCorrect" (Formalize-BoolValue $isFileNotFoundCacheLifetimeSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsKeepConnSettingCorrect" (Formalize-BoolValue $isKeepConnSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsMaxCmdsSettingCorrect" (Formalize-BoolValue $isMaxCmdsSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsMaximumConnectionCountPerServerSettingCorrect" (Formalize-BoolValue $isMaximumConnectionCountPerServerSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsOplocksDisabledSettingCorrect" (Formalize-BoolValue $isOplocksDisabledSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsSessionTimeoutSettingCorrect" (Formalize-BoolValue $isSessionTimeoutSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsUseOpportunisticLockingSettingCorrect" (Formalize-BoolValue $isUseOpportunisticLockingSettingCorrect) Append-XmlElement $xmlDoc $smbNode $ns "IsWindowSizeThresholdSettingCorrect" (Formalize-BoolValue $isWindowSizeThresholdSettingCorrect) # # Check share related configuration # $count = 0 get-smbshare -Scoped $true -Special $false -ContinuouslyAvailable $false | % { $count = $count + 1 } if( $count -eq 0 ) { $isShareCheck1Correct = $true } else { $isShareCheck1Correct = $false } $count = 0 get-smbshare | where { $_.ShareState.ToString() -ne "Online" } | % { $count = $count + 1 } if( $count -eq 0 ) { $isShareCheck2Correct = $true } else { $isShareCheck2Correct = $false } $count = 0 get-smbshare -AvailabilityType ScaleOut -FolderEnumerationMode AccessBased | % { $count = $count + 1 } if( $count -eq 0 ) { $isShareCheck3Correct = $true } else { $isShareCheck3Correct = $false } $count = 0 get-smbshare | where { ($_.AvailabilityType.ToString() -eq "ScaleOut") -and ($_.Special -eq $false) -and ($_.CachingMode.ToString() -ne "None") } | % { $count = $count + 1 } if( $count -eq 0 ) { $isShareCheck4Correct = $true } else { $isShareCheck4Correct = $false } $count = 0 get-smbshare | where { $_.ConcurrentUserLimit -ne 0 } | % { $count = $count + 1 } if( $count -eq 0 ) { $isShareCheck5Correct = $true } else { $isShareCheck5Correct = $false } $count = 0 get-smbshare | where { $_.CATimeout -lt 25 -and $_.CATimeout -ne 0 } | % { $count = $count + 1 } if( $count -eq 0 ) { $isShareCheck6Correct = $true } else { $isShareCheck6Correct = $false } Append-XmlElement $xmlDoc $smbNode $ns "IsShareCheck1Correct" (Formalize-BoolValue $isShareCheck1Correct) Append-XmlElement $xmlDoc $smbNode $ns "IsShareCheck2Correct" (Formalize-BoolValue $isShareCheck2Correct) Append-XmlElement $xmlDoc $smbNode $ns "IsShareCheck3Correct" (Formalize-BoolValue $isShareCheck3Correct) Append-XmlElement $xmlDoc $smbNode $ns "IsShareCheck4Correct" (Formalize-BoolValue $isShareCheck4Correct) Append-XmlElement $xmlDoc $smbNode $ns "IsShareCheck5Correct" (Formalize-BoolValue $isShareCheck5Correct) Append-XmlElement $xmlDoc $smbNode $ns "IsShareCheck6Correct" (Formalize-BoolValue $isShareCheck6Correct) # # Check RdmaAndSigning setting. If there are RDMA NICs in the system and encryption or signing is enabled, then we should display a warning # $encryptedCount = 0 get-smbshare -EncryptData $true | % { $encryptedCount = $encryptedCount + 1 } import-module netadapter $rdmaAdapterCount = 0 get-NetAdapterRdma | % { $rdmaAdapterCount = $rdmaAdapterCount + 1 } if( (($encryptedCount -gt 0 -and $smbServerConfiguration.EncryptData) -or $smbServerConfiguration.EnableSecuritySignature) -and $rdmaAdapterCount -gt 0 ) { $isRdmaAndSigningSettingCorrect = $false } else { $isRdmaAndSigningSettingCorrect = $true } Append-XmlElement $xmlDoc $smbNode $ns "IsRdmaAndSigningSettingCorrect" (Formalize-BoolValue $isRdmaAndSigningSettingCorrect) # #Check HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Paramters registry key settings # $isDOSDetectionSettingOn = $true $path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" $values = get-itemproperty -path $path if ($Values -ne $null) { if ($values.DisableDos -ne $null -and $Values.DisableDos -ne 0) { $isDOSDetectionSettingOn = $false } } Append-XmlElement $xmlDoc $smbNode $ns "IsDOSDetectionSettingOn" (Formalize-BoolValue $isDOSDetectionSettingOn) #Check HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem registry key setting $is8Dot3NameCreationDisabled = $false $path = "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" $values = get-itemproperty -path $path if ($Values -ne $null) { if ($Values.NtfsDisable8dot3NameCreation -eq 1) { $is8Dot3NameCreationDisabled = $true } } Append-XmlElement $xmlDoc $smbNode $ns "Is8Dot3NameCreationDisabled" (Formalize-BoolValue $is8Dot3NameCreationDisabled) #Check firewall settings for port 139 and 445 $isPortEnabled = $true $fwmgr = (new-object -com hnetcfg.fwmgr).localpolicy.currentprofile $services = $fwmgr.Services if ($fwmgr.FirewallEnabled -eq $true -and $services -ne $null) { $service = $fwmgr.Services | where {$_.Name -eq "File and Printer Sharing"} foreach($port in $service.GloballyOpenPorts) { if($port.Port -eq 139 -and $port.Enabled -eq $false) { $isPortEnabled = $false } if($port.Port -eq 445 -and $port.Enabled -eq $false) { $isPortEnabled = $false } } } Append-XmlElement $xmlDoc $smbNode $ns "IsPortEnabled" (Formalize-BoolValue $isPortEnabled) #Check HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters registry key settings $isNumTCPTablePartitionsDisabled = $true $isTCPWindowSizeDisabled = $true $isMaxHashTableSizeDisabled = $true $path = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" $values = get-itemproperty -path $path if ($Values -ne $null) { if ($values.NumTCPTablePartitions -ne $null) { $isNumTCPTablePartitionsDisabled = $false } if ($values.TCPWindowSize -ne $null) { $isTCPWindowSizeDisabled = $false } if ($values.MaxHashTableSize -ne $null) { $isMaxHashTableSizeDisabled = $false } } Append-XmlElement $xmlDoc $smbNode $ns "IsNumTCPTablePartitionsDisabled" (Formalize-BoolValue $isNumTCPTablePartitionsDisabled) Append-XmlElement $xmlDoc $smbNode $ns "IsTCPWindowSizeDisabled" (Formalize-BoolValue $isTCPWindowSizeDisabled) Append-XmlElement $xmlDoc $smbNode $ns "IsMaxHashTableSizeDisabled" (Formalize-BoolValue $isMaxHashTableSizeDisabled) # # Check NIC Teaming Settings # Import-Module netlbfo $nicTeams = Get-NetLbfoTeam $IsNicTeamMemberOfDiffLinkSpeed = $false $IsNicTeamMemberOfDiffSettings = $false foreach ($team in $nicTeams) { $teamMembers = @(Get-NetLbfoTeamMember -Team $team.name) $linkSpeed = $null $dcbStatus = $null foreach ($nic in $teamMembers) { if ((Get-NetAdapter -name $nic.name).Status -eq "Up") { if ($linkSpeed -eq $null) { $linkSpeed = $nic.TransmitLinkSpeed } elseif ($linkSpeed -ne $nic.TransmitLinkSpeed) { $IsNicTeamMemberOfDiffLinkSpeed = $true } } if ($dcbStatus -eq $null) { $dcbStatus = (Get-NetAdapterQos -name $nic.name).Enabled if ($dcbStatus -eq $null) { $dcbStatus = $false } } else { $memberDcbStatus = (Get-NetAdapterQos -name $nic.name).Enabled if ($memberDcbStatus -eq $null) { $memberDcbStatus = $false } if ($dcbStatus -ne $memberDcbStatus) { $IsNicTeamMemberOfDiffSettings = $true } } } } Append-XmlElement $xmlDoc $smbNode $ns "IsNicTeamMemberOfDiffLinkSpeed" (Formalize-BoolValue $IsNicTeamMemberOfDiffLinkSpeed) Append-XmlElement $xmlDoc $smbNode $ns "IsNicTeamMemberOfDiffSettings" (Formalize-BoolValue $IsNicTeamMemberOfDiffSettings) # # Check NIC Offload Technologies - note that we're only interested in phyical NICs # $PhysicalNics = Get-NetAdapter -Physical $IsChecksumOffloadEnabledOnNic = $true $ChecksumOffloadNics = $PhysicalNics | Get-NetAdapterChecksumOffload foreach ($nic in $ChecksumOffloadNics) { if (($nic.TcpIPv4Enabled -eq "Disabled") -or ($nic.TcpIPv6Enabled -eq "Disabled") -or ($nic.UdpIPv4Enabled -eq "Disabled") -or ($nic.UdpIPv6Enabled -eq "Disabled")) { $IsChecksumOffloadEnabledOnNic = $false break } } Append-XmlElement $xmlDoc $smbNode $ns "IsChecksumOffloadEnabledOnNic" (Formalize-BoolValue $IsChecksumOffloadEnabledOnNic) $IsLargeSendOffloadEnabledOnNic = $true $LsoNics = $PhysicalNics | Get-NetAdapterLso foreach ($nic in $LsoNics) { if (($nic.version -eq 1 -and -not $nic.V1IPv4Enabled) -or ($nic.version -eq 2 -and (-not $nic.IPv4Enabled -or -not $nic.IPv6Enabled))) { $IsLargeSendOffloadEnabledOnNic = $false break } } Append-XmlElement $xmlDoc $smbNode $ns "IsLargeSendOffloadEnabledOnNic" (Formalize-BoolValue $IsLargeSendOffloadEnabledOnNic) $IsIPsecTaskOffloadEnabledOnNic = $true $IPsecNics = $PhysicalNics | Get-NetAdapterIPsecOffload foreach ($nic in $IPsecNics) { if (-not $nic.Enabled) { $IsIPsecTaskOffloadEnabledOnNic = $false break } } Append-XmlElement $xmlDoc $smbNode $ns "IsIPsecTaskOffloadEnabledOnNic" (Formalize-BoolValue $IsIPsecTaskOffloadEnabledOnNic) $IsReceiveSideScalingEnabledOnNic = $true $RssNics = $PhysicalNics | Get-NetAdapterRss foreach ($nic in $RssNics) { # RSS is operationally disabled if the NIC is bound to a switch if (IsNicBoundToHyperVSwitch($nic)) { continue } if (-not $nic.Enabled) { $IsReceiveSideScalingEnabledOnNic = $false break } } Append-XmlElement $xmlDoc $smbNode $ns "IsReceiveSideScalingEnabledOnNic" (Formalize-BoolValue $IsReceiveSideScalingEnabledOnNic) $IsReceiveSideCoalescingEnabledOnNic = $true $RscNics = $PhysicalNics | Get-NetAdapterRsc foreach ($nic in $RscNics) { # RSC is operationally disabled if the NIC is bound to a switch if (IsNicBoundToHyperVSwitch($nic)) { continue } if (($nic.RscHardwareCapabilities.IPv4Supported -and -not $nic.IPv4Enabled) -or ($nic.RscHardwareCapabilities.IPv6Supported -and -not $nic.IPv6Enabled)) { $IsReceiveSideCoalescingEnabledOnNic = $false break } } Append-XmlElement $xmlDoc $smbNode $ns "IsReceiveSideCoalescingEnabledOnNic" (Formalize-BoolValue $IsReceiveSideCoalescingEnabledOnNic) # # Check whether smb server configuration is consistent across cluster # $clusterConfigConsistent = $true $clusvc = get-service -name clussvc if( $clusvc -and ($clusvc.Status -eq [System.ServiceProcess.ServiceControllerStatus]"Running") -and (get-clusterresource | where-object {$_.ResourceType.ToString().Contains("File Server")}) ) { $nodes = get-clusternode $localConfig = Get-SmbServerConfiguration $configProperties = $localConfig | Get-Member | Where-Object{$_.MemberType -eq "Property"} foreach($node in $nodes) { if( $node.State.ToString() -ne "Up" ) { continue } $nodeConfig = Get-SmbServerConfiguration -CimSession $node.Name foreach( $configProp in $configProperties ) { if( $configProp.Name -eq "PSComputerName" ) { continue } if( $localConfig.($configProp.Name) -ne $nodeConfig.($configProp.Name) ) { $clusterConfigConsistent = $false Write-Warning "Smb server configuration $configProp mismatches between this node and $node.Name" break } } if( -not $clusterConfigConsistent) { break } } } Append-XmlElement $xmlDoc $smbNode $ns "IsSmbServerConfigConsistentAcrossCluster" (Formalize-BoolValue $clusterConfigConsistent) # # check SMB S4U2Self user claim retrieval settings consistency with Kerberos setting to locate a Windows 8 DC # The check is that if EnableS4U2SelfForClaims is set to 1 then EnableCbacAndArmor should also be set to 1 # $IsSMBS4U2SelfConfigConsistentWithKerberosConfig = $true $S4U2Selfpath = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" $S4U2SelfValues = get-itemproperty -path $S4U2Selfpath if ($S4U2SelfValues -ne $null) { if ($S4U2SelfValues.EnableS4U2SelfForClaims -ne $null -and $S4U2SelfValues.EnableS4U2SelfForClaims -eq 1) { # Kerberos is looking in two locations, one local and one for policy and if one of these is set to # True (1) then Kerberos will try to look for a W8 DC $Kerberospath1 = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" $KerberosValues1 = get-itemproperty -path $Kerberospath1 $Kerberospath2 = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" $KerberosValues2 = get-itemproperty -path $Kerberospath2 if (($KerberosValues1.EnableCbacAndArmor -eq $null -or $KerberosValues1.EnableCbacAndArmor -ne 1) -and ($KerberosValues2.EnableCbacAndArmor -eq $null -or $KerberosValues2.EnableCbacAndArmor -ne 1)) { $IsSMBS4U2SelfConfigConsistentWithKerberosConfig = $false } } } Append-XmlElement $xmlDoc $smbNode $ns "IsSMBS4U2SelfConfigConsistentWithKerberosConfig" (Formalize-BoolValue $IsSMBS4U2SelfConfigConsistentWithKerberosConfig) } function IsNicBoundToHyperVSwitch ($nic) # # FUNCTION DESCRIPTION: # Check if a NIC is directly or indirectly bound to a Hyper-V switch. A NIC # is indirectly bound to a switch if it is a member of a LBFO team, whose # tNic is bound to a switch. # # PARAMETERS: # $nic - an MSFT_NetAdapter object # # RETURN VALUES: # $true - if $nic is bound, directly or indirectly, to a switch # $false - Otherwise # { if ((Get-NetAdapterBinding $nic.name | ?{$_.ComponentID -eq "vms_pp"}).Enabled) { return $true } $teamMember = Get-NetLbfoTeamMember $nic.name if ($teamMember -ne $null) { $allTNics = Get-NetLbfoTeamNic -team $teamMember.team foreach ($tNic in $allTNics) { if ((Get-NetAdapterBinding $tNic.name | ?{$_.ComponentID -eq "vms_pp"}).Enabled) { return $true } } } return $false } # # ------------------ # FUNCTIONS - END # ------------------ # # # ------------------------ # SCRIPT MAIN BODY - START # ------------------------ # # # Initialize to perform querying Role information # Setup # # Set the Target Namespace to be used by XML # $tns="http://schemas.microsoft.com/bestpractices/models/FileServices/SMB/2011/04" # # Create a new XmlDocument # $doc = Create-DocumentElement $tns "SMBComposite" GetSMBXml $doc $tns # # Role Information obtained. # TearDown $doc # can be used for testing purpose $doc.Save([Environment]::SystemDirectory + "\BestPractices\v1.0\Models\Microsoft\Windows\FileServices\tempSMB.xml")