The protocol itself has undergone a rapid evolution from its early days, and the latest Microsoft SMB 3.1.1 version is aimed at speed, flexibility and extreme security.
For virtualized data centers, the SMBv3.x family of dialects is the de-facto standard for high performance, offering a rich set of functions that weren’t available earlier.
💡 For an extensive introduction to the SMB protocol and learning what IT decision-makers need to know, check out What is SMB? by David Dynamicnet
How SMB works
SMB Protocol
Everyone knows how easy it is to map network drives on one’s own device, and then access files and folders as if they were kept locally. In the background, what makes this possible is the SMB protocol. SMB is a protocol, just like the http protocol we use to browse the web, a set of rules that defines how data access is to take place.
When two devices wish to share data with each other on a network, they do so with the help of network redirectors. All such connection and access requests are handled and completed by redirectors, and these are sent as “data packets”.
SMB Network details: What port does smb use?
SMB data packets come in three types: session control packets, file access packets and general message packets. SMB works at Layer 7, the application layer, and uses TCP/IP on port 445 (note: prior to Windows 2000 the SMB port number was 139).
SMB Servers, SMB Clients, and SMB shares
There are 3 basic components required in SMB communication:
- SMB server – What is an SMB server? It is the machine that hosts the SMB shares
- SMB client – What is an SMB client? It is the machine that accesses shares on an SMB server.
- SMB share/file share- What is an SMB file share? It is a shared resource — most often a directory or group of directories — SMB clients access on SMB servers.
There are 3 basic components required in SMB communication:
- SMB server – What is an SMB server? It is the machine that hosts the SMB shares
- SMB client – What is an SMB client? It is the machine that accesses shares on an SMB server.
- SMB share/file share- What is an SMB file share? It is a shared resource — most often a directory or group of directories — SMB clients access on SMB servers.
The SMB versions: SMB1, SMB2, and SMB3
SMB1
SMB1 also known as SMBv1 is the original implementation of SMB. It was created at IBM in the 1980s to enable network access to local DOS (Disk Operating System) file systems. SMB1 used 16-bit packet and small — by today’s standards — data buffers, which limited performance..
SMB1 is often associated with CIFS (Common Internet File System). This is because CIFS is a popular 1996 Microsoft SMB dialect that implemented SMB on many networks.
SMB2
SMB2 a.k.a. SMBv2 or SMB 2.0 was released by Microsoft in 2006 with Windows Vista. This Microsoft SMB2 protocol implementation improved performance and security when compared to SMB1. For example, SMB2 increased packet sizes to 32-bit — and even 128-bit for file handles — a significant improvement over SMB1’s 16-bits. Subcommands for the SMB protocol were reduced from over 100 in SMB1 to less than 20 in SMB2 which reduced the “chattiness” (network noise and bandwidth consumption) SMB1 was known for. Features such as caching and durable connections were added in SMB2 as well that further improve performance.
With Server 2008 R2 and Windows 7, Microsoft introduced SMB 2.1. The newer Windows SMB 2.1 implementation improved how opportunistic locking (oplocks) work and helped further improve performance.
SMB3
With the basics of SMB out of the way, we can now take a technical deep-dive into the key SMB features.
1. Authentication
Like many other protocols, authentication is vital to SMB security. There are two aspects of SMB authentication:
- User-level authentication- Requires clients to provide a username and password. Once a client — such as an SMB client Windows 10 computer — successfully authenticates to gain access to a share on a server — such as a Server 2019 SMB file server — the SMB client gains access to all shares on the server not restricted by additional “share-level” security.
- Share-level authentication- Requires a share-specific password (no username) assigned to the share.
Both user-level and share-level SMB authentication encrypt passwords prior to transmission. In this section, we’ll take a closer look at the authentication features of security.
NTLM
Authenticating the client or user identity is important before file shares are given access. The NT Lan Manager (NTLM) is one of the two security protocols that offers authentication to hosts in a Windows network. For example, before an SMB connection is made, clients get authenticated by their domain where the server is located.
NTLM uses a challenge/response method to authenticate users and devices. The method incorporates a three-way handshake and password hashing to prove user authenticity; however the cryptography for this is weak, and vulnerable to ‘pass-the-hash’ attacks.
NTLMv2
The second version of NTLM is more secure with strong cryptography, and can prevent spoofing attacks. This protocol is still widely used as it is compatible with old systems.
The complete NTLM protocol suite is a single implementation comprising both NTLM versions along with NTLMV2 Session protocol.
Kerberos
Kerberos, developed by MIT, is a network authentication protocol that works transparently with the Windows Active Directory, and was introduced in Windows 2000.
The Active Directory of Windows is used to manage users, computers and services that are part of the network hierarchy. The server that runs the Active Directory Domain Service becomes the domain controller, able to authenticate and authorize network users and enforce security policies.
Kerberos employs cryptography to allow clients and servers to prove their identity to each other. Stronger than NTML, Kerberos authenticate happens separately from SMB using tickets supplied by a Kerberos Key Distribution Center (KDC). Clients and servers use these tickets and authenticate themselves during connections on insecure networks.
Kerberos also allows encrypting subsequent communication with secret-key cryptography after the identities of clients and servers are established.
Pre-Authentication Integrity
With SMB2.0.2 (Vista) onwards, the protocol ensures that users and clients are authenticated when they connect to servers. The security has been further enhanced in SMB3.0 (Windows 8) with a new algorithm for signing data packets.
The main function of pre-authentication integrity is to prevent what are called ‘man-in-the-middle’ attacks, whereby hackers attempt to inspect or eavesdrop on data packets and tamper with the connection and authentication properties. Using cryptographic SHA-512, this feature verifies requests for setting up sessions and subsequent negotiations.
2. Secured Data Transfer
Message signing/SMB Signing
SMB allows for digital signing of data packets. Thus users who receive data packets can be assured of their point of origin and authenticity. Digital signing has been introduced to prevent ‘man in the middle’ attacks and tampering.
SMB Signing can be activated on all supported Windows versions, and is a default feature for domain controllers. On domain controllers, all users can thus download authentic group policies.
A new hashing algorithm, HMAC SHA-256, makes SMB2.0 more secure compared to the earlier dialects. With SMB3.0, security has been further enhanced by the AES-CMAC algorithm, and with Windows 10, AES-128-GCM has been introduced. The new algorithms also improve performance, especially on WANs.
SMB Encryption
Abandoning the older SMB versions for the more secure SMB3.0 is a great advance in network security. Although there are solutions such as IPSec, high security can be achieved and costs reduced by simply implementing the SMB 3.x protocol, where one needs to only check a box.
Encryption has been introduced to protect data in transit from malicious ransomware and other hacking attempts. The SMB3.X protocols allow setting up encryption on either single shares or file servers as per need.
From SMB3 onwards, it is now possible to detect ‘man-in-the-middle’ attacks and simply disconnect the network. The feature can be activated using the File Server Manager or via the powershell.
SMB encryption is of great importance for mobile workers, who work from unsecured networks, and is valuable for protecting sensitive corporate data during transfer. The feature requires both the client and the server to use SMB3.x protocols.
SMB3.0 uses the AES-CCM algorithm for encryption. Data integrity validation is done by using AES-CMAC algorithm. The older HMAC-SHA256 used by SMB 2 is no longer in use. The new algorithms work fast on modern CPUs using AES instruction support.
In SMB3.1.1, data packet confidentiality has been further strengthened with the addition of AES-128-GCM in Windows 10 and Windows Server 2016. This also comes with a performance increase of up to two times. Security is now stronger against tampering and eavesdropping with the use of cipher negotiation when a connection is established.
3. Performance
Concurrent operations
Maximum Transmission Unit
Multichannel Technology
Much faster file transfers are possible with the multi-channel feature of SMB3.x. This can be done by combining several NIC cards, and all it takes is plugging them into the network.
Multi-channeling works by combining the bandwidth of several networking cards, and allows CPU cores to split data streams for faster data transfers. For example, a client with several 1 gigabit cards can connect faster to a server with a large, 10 gigabit card, or vice versa. Both the client and server can be equipped with large NIC adapters, and thus utilize their CPU cored to the maximum.
Advantages of SMB multi-channel feature:
Increased network performance outside Windows clustering
Multiple data paths available
Higher throughput and network fault tolerance
Automatic configuration (dynamic addition of connections discovered automatically)
Multi-channel features are available only with SMB3.x, while older protocols can only use one SMB connection.
With the Windows 10 update of 2016, SMB multi-channeling is much easier, as there is no need to add machine names and IP addresses.
SMB Direct and RDMA – What is SMB direct?
4. Durability and Reliability
SMB Lease and Oplock
Lease is a new caching feature introduced in Windows 7. Similar to Oplock, lease allows clients to better utilize the network and adjust buffering policy. Although the names of lease types are different, they are similar to Oplock types. Some main lease types are read-caching, write-caching, and handle-caching.
The Oplock feature of SMB gives it many advantages such as file caching, simultaneous access, synchronization of the cache to reduce round trips, and thus overall better file sharing performance. A type of file locking, Oplock is actually a request rather than a command, and sent by users to servers.
The request is met on certain conditions that have been allowed. Once the lock is invalid, the server sends a break to the user. Oplocks can be batch, exclusive or level 2 locks.
Durable handles and Persistent handles
How does SMB handle temporary loss of connection when a file is still open? From SMB2.0 onwards, durable handles are open file handles that survive a short disconnect. Clients can then re-connect after the network is restored. The persistence is achieved with the oplock/lease feature, which reconnects to the file.
To make the connections more resilient and long lasting, persistent handles are used. Thus in a 60-second window, the client can easily re-establish connection while also denying a third party to connect to the file/s.
Persistent handles are able to do this as they get mirrored on separate storage (SFO partner), from where they are reclaimed. The SMB connections are thus continuously available and there is a transparent reconnect for smooth and uninterrupted operations.
Scalability
Continuous Availability Service
An important feature for data centers and services, continuous availability is an enterprise-grade feature of SMB3.0. The new SMB servers support clustered servers or scale-out servers. File shares in these networks can be set to ‘continuously available’ and mapped to clients that support SMB3.0.
The feature uses persistent handles, which offer a longer access period to files. The handle is requested with the persistent flag, and the timeout specified is carried out, unlike in the case of durable handles.
SMB Witness – SWN
Transparent Failover
With transparent failover, users remain connected to their data if one of the servers breaks down, as another server smoothly kicks into action. The failover function thus allows applications to continue working as usual. Hence the name, ‘transparent failover’.
Transparent failover is a key feature of the 3.x family of SMB as per Microsoft. This feature is of great importance considering the rapid networking speed offered by SMB.
The new protocol supports Hyper-V virtual machines and SQL Server with automatic management of connections across nodes in a clustered environment. These applications are not very adept at handling server failures that can result in offline databases and in cases where a virtual server can no longer access storage and crashes. With SMB3.0 onwards, Windows file sharing is available all the time as transparent failover ensures that storage and data connections stay online.
The new protocol supports Hyper-V virtual machines and SQL Server with automatic management of connections across nodes in a clustered environment. These applications are not very adept at handling server failures that can result in offline databases and in cases where a virtual server can no longer access storage and crashes. With SMB3.0 onwards, Windows file sharing is available all the time as transparent failover ensures that storage and data connections stay online.
- Windows Server 2012 with at least two nodes on a failover cluster
- Clearing of the Validate Configuration wizard by servers, storage and network
- File server role available on all nodes of a cluster
- Cluster file server set for file shares with continuously available property
For system administrators of clustered file servers and nodes, transparent failover is a great relief, as they can perform maintenance without loss of network connections.
Scale-Out File Servers
SOFS is the use of multiple servers (instead of just one, which is liable to fail or crash) so that client applications can access database storage. In case a server is not available, other servers ensure non-interrupted file access to users. This feature can only be used when both the server and client run on SMB3.x.
This feature is available from Windows Server 2012 onwards, and allows setting up high performance and always available Scale-Out File Servers (SOFS), where user permissions can be easily managed.
Handling enterprise data and workload on storage can now be done on file-based systems, and SMB3.x supports Hyper-V and SQL Server for such tasks. SOFS is the result of this transformation brought about by the latest protocol, with the added advantages of failover and scalability.
In a typical clustered network scenario, SMB3.0 offers parallel data access to all nodes by publishing file shares using version 2 of clustered shared volumes. Clients can also use the totality of resources available in the form of file server nodes and balance load, thus removing bandwidth restrictions found in single cluster nodes.
Clients running SMB1 protocol are denied access when connecting to a scale-out server system. Those running SMB2.0 can connect to SOFS, but cannot take advantage of the transparent failover feature.
Clients running SMB1 protocol are denied access when connecting to a scale-out server system. Those running SMB2.0 can connect to SOFS, but cannot take advantage of the transparent failover feature.
Volume Shadow Copy Service (VSS)
VSS is a service introduced in Windows Server 2003 to improve the reliability of backup and restore operations. At a high-level, VSS allows backups to run while apps continue to write data to volumes. In SMB3, Microsoft added VSS for SMB file shares to further extend VSS functionality with SMB. The enhancements added:
- A new VSS provider (File Share Shadow Copy Provider)
- A new VSS requestor (File Share Shadow Copy Agent)
- A new RPC (remote procedure call) protocol (FIle Server Remote VSS Protocol).
Prior to the VSS upgrades, shadow copies were only supported on local volumes. This limited the use of the service with HyperV hosts and virtual machines. With SMB3 and the VSS improvements, HyperV can provide reliable backup for guest virtual machines.
Visuality Systems Ltd is the world-leading developer and provider of SMB client and server protocol stacks. All Visuality Systems solutions fully comply with the Microsoft SMB specifications and support all SMB dialects, from NTLM 0.12 up to the latest 3.1.1.
Information on the benefits of using a Visuality Systems solution can be found at the YNQ, jNQ, or NQ Storage product pages. An evaluation package is offered for customers who wish to get started by filling the form below.
SMB Software | Use case | Learn More |
|---|---|---|
YNQ | Small footprint non-GPL SMB software for embedded systems. | |
jNQ | SMB over JAVA solution that fully supports SMB2 and SMB3 (modern JCIFS replacement). | |
NQ Storage | Robust multi-platform SMB server which can be integrated with any storage solution. |
