SMB Protocol Most Important Features

The article mentions SMB versions and reveals SMB's most important features, goes over SMB protocol performance, and more

 SMB Most Important Features

SMB, or Server Message Block, is one of the pillars of mass data transfers across networks. In the age of data centers and virtualized servers, this is the protocol that is doing the hard lifting, by moving, copying and modifying terabytes of user data, and keeping it secure and encrypted from hackers and ransom attacks.

The protocol itself has undergone a rapid evolution from its early days, and the latest Microsoft SMB 3.1.1 version is aimed at speed, flexibility and extreme security.

For virtualized data centers, the SMBv3.x family of dialects is the de-facto standard for high performance, offering a rich set of functions that weren’t available earlier.

💡 For an extensive introduction to the SMB protocol and learning what IT decision-makers need to know, check out What is SMB?

How SMB works

SMB Protocol

Everyone knows how easy it is to map network drives on one’s own device, and then access files and folders as if they were kept locally. In the background, what makes this possible is the SMB protocol. SMB is a protocol, just like the http protocol we use to browse the web, a set of rules that defines how data access is to take place.

When two devices wish to share data with each other on a network, they do so with the help of network redirectors. All such connection and access requests are handled and completed by redirectors, and these are sent as “data packets”. 

SMB Network details: What port does smb use?

SMB data packets come in three types: session control packets, file access packets and general message packets. SMB works at Layer 7, the application layer, and uses TCP/IP on port 445 (note: prior to Windows 2000 the SMB port number was 139).

SMB Servers, SMB Clients, and SMB shares

There are 3 basic components required in SMB communication:

  • SMB server – What is an SMB server? It is the machine that hosts the SMB shares
  • SMB client – What is an SMB client? It is the machine that accesses shares on an SMB server.
  • SMB share/file share- What is an SMB file share? It is a shared resource — most often a directory or group of directories — SMB clients access on SMB servers.

The SMB versions: SMB1, SMB2, and SMB3

SMB1

SMB1 also known as SMBv1 is the original implementation of SMB. It was created at IBM in the 1980s to enable network access to local DOS (Disk Operating System) file systems. SMB1 used 16-bit packet and small — by today’s standards — data buffers, which limited performance.. 

SMB1 is often associated with CIFS (Common Internet File System). This is because CIFS is a popular 1996 Microsoft SMB dialect that implemented SMB on many networks. 

“💡Pro-tip: SMBv1 does not have any encryption, which makes it so unsecured. Therefore it shouldn’t be used today. The protocol is highly susceptible to MITM (man-in-the-middle) attacks, and SMBv1 is the protocol exploited by ransomware like WannaCry and NotPetya. Additionally, SMB1 is inefficient and creates a lot of network “chatter” when compared to newer SMB versions.”

SMB2

SMB2 a.k.a. SMBv2 or SMB 2.0 was released by Microsoft in 2006 with Windows Vista. This Microsoft SMB2 protocol implementation improved performance and security when compared to SMB1.  For example, SMB2 increased packet sizes to 32-bit — and even 128-bit for file handles — a significant improvement over SMB1’s 16-bits. Subcommands for the SMB protocol were reduced from over 100 in SMB1 to less than 20 in SMB2 which reduced the “chattiness” (network noise and bandwidth consumption) SMB1 was known for. Features such as caching and durable connections were added in SMB2 as well, to further improve its performance. 

With Server 2008 R2 and Windows 7, Microsoft  introduced SMB 2.1. The newer Windows SMB 2.1 implementation improved how opportunistic locking (oplocks) work and helped further improve performance. 

SMB3

The original name for SMB3 (a.k.a. SMB v3) was SMB 2.2. The initial release of SMB3 is now known as SMB 3.0. Server 2012 and Windows 8 were the first Microsoft operating systems to support it. SMB v3 adds more performance and security enhancements to the protocol. For example, SMB multichannel and end-to-end encryption were introduced in SMB3.

SMB 3.1.1 — the latest version of SMB — was released along with Windows Server 2016 and Windows 10. SMB 3.1.1 includes security enhancements such as: enforcing secure connections with newer (SMB2 and later) clients and stronger encryption (AES-256 from Windows 11 and Windows Server 2022).

Key SMB features

With the basics of SMB out of the way, we can now take a technical deep-dive into the key SMB features.

1. Authentication

Like many other protocols, authentication is vital to SMB security. There are two aspects of SMB authentication:

  • User-level authentication- Requires clients to provide a username and password. Once a client — such as an SMB client Windows 10 computer — successfully authenticates to gain access to a share on a server — such as a Server 2019 SMB file server — the SMB client gains access to all shares on the server not restricted by additional “share-level” security.
  • Share-level authentication- Requires a share-specific password (no username) assigned to the share.

Both user-level and share-level SMB authentication encrypt passwords prior to transmission. In this section, we’ll take a closer look at the authentication features of security.

NTLM

Authenticating the client or user identity is important before file shares are given access. The NT Lan Manager (NTLM) is one of the two security protocols that offers authentication to hosts in a Windows network. For example, before an SMB connection is made, clients get authenticated by their domain where the server is located.

NTLM uses a challenge/response method to authenticate users and devices. The method incorporates a three-way handshake and password hashing to prove user authenticity; however the cryptography for this is weak, and vulnerable to ‘pass-the-hash’ attacks.

NTLMv2

The second version of NTLM is more secure with strong cryptography, and can prevent spoofing attacks. This protocol is still widely used as it is compatible with old systems.

The complete NTLM protocol suite is a single implementation comprising both NTLM versions along with NTLMV2 Session protocol.

Kerberos

Kerberos, developed by MIT, is a network authentication protocol that works transparently with the Windows Active Directory, and was introduced in Windows 2000.

The Active Directory of Windows is used to manage users, computers and services that are part of the network hierarchy. The server that runs the Active Directory Domain Service becomes the domain controller, able to authenticate and authorize network users and enforce security policies.

Kerberos employs cryptography to allow clients and servers to prove their identity to each other. Stronger than NTML, Kerberos authentication is performed separately from SMB, using tickets supplied by a Kerberos Key Distribution Center (KDC). Clients and servers use these tickets and authenticate themselves during connections on insecure networks.

Kerberos also allows encrypting subsequent communication with secret-key cryptography after the identities of clients and servers are ascertained.

Pre-Authentication Integrity

With SMB2.0.2 (Vista) onwards, the protocol ensures that users and clients are authenticated when they connect to servers. The security has been further enhanced in SMB3.0 (Windows 8) with a new algorithm for signing data packets.

The main function of pre-authentication integrity is to prevent what are called ‘man-in-the-middle’ attacks, whereby hackers attempt to inspect or eavesdrop on data packets and tamper with the connection and authentication properties. Using cryptographic SHA-512, this feature verifies requests for setting up sessions and subsequent negotiations.

2. Secured Data Transfer

In addition to authentication, ensuring data integrity and encryption in transit are important parts of SMB security. In this section, we’ll look at the SMB features that enable secure data transfer.

Message signing/SMB Signing

SMB allows for digital signing of data packets. Thus users who receive data packets can be assured of their point of origin and authenticity. Digital signing has been introduced to prevent ‘man in the middle’ attacks and tampering.

SMB Signing can be activated on all supported Windows versions, and is a default feature for domain controllers. On domain controllers, all users can thus download authentic group policies.

A new hashing algorithm, HMAC SHA-256, makes SMB2.0 more secure compared to the earlier dialects. With SMB3.0, security has been further enhanced by the AES-CMAC algorithm, and with Windows 11, AES-256-GCM has been introduced. The new algorithms also improve performance, especially on WANs.

SMB Encryption

Abandoning the older SMB versions for the more secure SMB3.0 is a great advance in network security. Although there are solutions such as IPSec, high security can be achieved and costs reduced by simply implementing the SMB 3.x protocol, where one needs to only check a box.

Encryption has been introduced to protect data in transit from malicious ransomware and other hacking attempts. The SMB3.X protocols allow setting up encryption on either single shares or file servers as per need.

From SMB3 onwards, it is now possible to detect ‘man-in-the-middle’ attacks and simply disconnect the network. The feature can be activated using the File Server Manager or via the powershell.

SMB encryption is of great importance for mobile workers, who work from unsecured networks, and is valuable for protecting sensitive corporate data during transfer. The feature requires both the client and the server to use SMB3.x protocols.

SMB3.0 uses the AES-CCM algorithm for encryption. Data integrity validation is done by using AES-CMAC algorithm. The older HMAC-SHA256 used by SMB 2 is no longer in use. The new algorithms work fast on modern CPUs using AES instruction support.

In SMB3.1.1, data packet confidentiality has been further strengthened with the addition of AES-256-GCM in Windows 11 and Windows Server 2022. This also comes with a performance increase of up to two times. Security is now stronger against tampering and eavesdropping with the use of cipher negotiation when a connection is established.

3. Performance

SMB performance has improved significantly since SMB v1 and CIFS. In addition to reducing the “chattiness” of SMB v1, later SMB versions include many features that increase throughput and take advantage of modern high-speed network connections. In this section, we’ll look at the performance-enhancing features of SMB.

Concurrent operations

Users often work together and may require simultaneous access to files stored on servers. SMB allows locking files as well as giving concurrent access. When a user wants access to a file that could be shared, the Lock feature is brought into action. Lock allows the user to perform some actions on a shared local file without notifying the server. It can also notify the server when only one client is present, or when only the read action is being performed on a shared file. Concurrent operation lets a user ask for specific access, such as granting read-only or write-only access. The SMB server keeps track of all such requests.

Maximum Transmission Unit

Microsoft has introduced new features to increase performance of large networks such as a 10 gigabit Ethernet. In SMB 2.1, better network speed can be obtained with large, multi-credit operations, also called the Maximum Transmission Unit, or MTU. The MTU is the size of the biggest data unit that can be sent across the protocol on a network.

By increasing the size of MTU, the maximum data unit can be 1MB, which allows for faster file transfer, and reduces the number of packets sent. MTU was introduced with Windows 2008 R2 and Windows 7.

MTU enhances data usage performance when, for example, querying an SQL server Database, making copies of virtual hard disks (Hyper-V), backing-up and restoring data.

Multichannel Technology

Much faster file transfers are possible with the multi-channel feature of SMB3.x. This can be done by combining several NIC cards, and all it takes is plugging them into the network.

Multi-channeling works by combining the bandwidth of several networking cards, and allows CPU cores to split data streams for faster data transfers. For example, a client with several 1 gigabit cards can connect faster to a server with a large, say a 10 gigabit card, or vice versa. Both client and server can be equipped with large NIC adapters, and thus utilize their CPU cored to the maximum.

Advantages of SMB multi-channel feature:

  • Increased network performance outside Windows clustering
  • Multiple data paths available
  • Higher throughput and network fault tolerance
  • Automatic configuration (dynamic addition of connections discovered automatically)

Multi-channeling is available with SMB3.x, while older protocols can only use one SMB connection.

With the Windows 10 update of 2016, SMB multi-channeling is much easier, as there is no need to add machine names and IP addresses.

SMB Direct and RDMA – What is SMB direct?

SMB Direct and Remote Direct Memory Access (RDMA) makes for a faster and more efficient clustered storage environment. RDMA allows for a quick, memory-to-memory transfer of data. All it takes is linking the servers using networking hardware such as InfiniBand, iWARP or RoCE. In a typical SOFS system as described later, several Windows file servers are grouped together to share files to workload servers. A failure of one server is managed by quickly restoring the connection using transparent failover. A bottleneck that can constrict speed lies with how the storage devices connect to the servers. Using Ethernet networks with even 10Gbps isn’t fast enough for enterprise data management requirements. Storage devices (SAN, FC, iSCSI) are commonly tied up into pools, and here virtual disks can be created for use as Hyper-V clusters, or in the case of SQL servers, file shares for accessing the database. These workload hosts receive their connection with SOFS servers via SMB3.x protocols. With the RDMA feature of SMB3.x, a high-speed data network can be set up. These are also called high-performance computing (HPC) environments, often found in systems for processing financial or scientific data. With remote direct memory access, CPU load is minimized as well as latencies in networking. With RDMA, a network file server can thus act as local storage when using Microsoft Hyper-V or SQL Server 2012. This feature is available only from SMB3.0 and above.

4. Durability and Reliability

Availability, scalability, and fault-tolerance are important aspects of file and resource sharing on modern networks. In this section, we’ll explore the key features that make SMB robust and reliable.

SMB Lease and Oplock

Lease is a new caching feature introduced in Windows 7. Similar to Oplock, lease allows clients to better utilize the network and adjust buffering policy. Although the names of lease types are different, they are similar to Oplock types. Some main lease types are read-caching, write-caching, and handle-caching.

The Oplock feature of SMB gives it many advantages such as file caching, simultaneous access, synchronization of the cache to reduce round trips, and thus overall better file sharing performance. A type of file locking, Oplock is actually a request rather than a command, and it’s sent by users to servers.

The request is met on certain conditions that have been allowed. Once the lock is invalid, the server sends a break to the user. Oplocks can be batch, exclusive or level 2 locks.

Durable handles and Persistent handles

How does SMB handle temporary loss of connection when a file is still open? From SMB2.0 onwards, durable handles are open file handles that survive a short disconnect. Clients can then re-connect after the network is restored. The persistence is achieved with the oplock/lease feature, which reconnects to the file.

To make the connections more resilient and long lasting, persistent handles are used. Thus in a 60-second window, the client can easily re-establish a connection while also denying a third party to connect to the file/s.

Persistent handles are able to do this as they get mirrored on separate storage (SFO partner), from where they are reclaimed. The SMB connections are thus continuously available and there is a transparent reconnect for smooth and uninterrupted operations.

Scalability

SMB allows for a great increase in handling number of users, and giving them file access and operational control for every server used. The new SMB dialects are built for scaling up, and allow every server to handle greater numbers of open file handles, file shares and concurrent operations. The Scale-Out File Services is a new feature ideally suited to data centers, whereby file storage can be made continuously available with the addition of new servers.

Continuous Availability Service

An important feature for data centers and services, continuous availability is an enterprise-grade feature of SMB3.0. The new SMB servers support clustered servers or scale-out servers. File shares in these networks can be set to ‘continuously available’ and mapped to clients that support SMB3.0.

The feature uses persistent handles, which offer a longer access period to files. The handle is requested with the persistent flag, and the timeout specified is carried out, unlike in the case of durable handles.

SMB Witness – SWN

The Witness service allows the clients on a network to get notified in case a server experiences disruption or latency. In SMB1.0 and to some extent in SMB2.x, this was achieved with a time-out service (based on remote procedure call). This however took a long time (up to 45 seconds). In enterprise networks, a faster notification was needed for quick failover to another server, and thus the Service Witness Protocol was introduced in the new SMB dialects. SWN is thus a separate protocol by itself and notifies clients using SMB3.x of any latencies and disruptions on the server-side. SWN is independent of the SMB protocol and runs independently, as part of the Continuously Available framework.

Transparent Failover

With transparent failover, users remain connected to their data if one of the servers breaks down, as another server smoothly kicks into action. The failover function thus allows applications to continue working as usual. Hence the name, ‘transparent failover’.

Transparent failover is a key feature of the 3.x family of SMB as per Microsoft. This feature is of great importance considering the rapid networking speed offered by SMB.

The new protocol supports Hyper-V virtual machines and SQL Server with automatic management of connections across nodes in a clustered environment. These applications are not very adept at handling server failures that can result in offline databases and in cases where a virtual server can no longer access storage and crashes. With SMB3.0 onwards, Windows file sharing is available all the time as transparent failover ensures that storage and data connections stay online.

The new protocol supports Hyper-V virtual machines and SQL Server with automatic management of connections across nodes in a clustered environment. These applications are not very adept at handling server failures that can result in offline databases and in cases where a virtual server can no longer access storage and crashes. With SMB3.0 onwards, Windows file sharing is available all the time as transparent failover ensures that storage and data connections stay online. The requirements of SMB Transparent Failover include:

  • Windows Server 2012 with at least two nodes on a failover cluster
  • Clearing of the Validate Configuration wizard by servers, storage and network
  • File server role available on all nodes of a cluster
  • Cluster file server set for file shares with continuously available property
 

For system administrators of clustered file servers and nodes, transparent failover is a great relief, as they can perform maintenance without loss of network connections.

Scale-Out File Servers

SOFS is the use of multiple servers (instead of just one, which is liable to fail or crash) so that client applications can access database storage. In case a server is not available, other servers ensure non-interrupted file access to users. This feature can only be used when both the server and client run on SMB3.x.

This feature is available from Windows Server 2012 onwards, and allows setting up high performance and always available Scale-Out File Servers (SOFS), where user permissions can be easily managed.

Handling enterprise data and workload on storage can now be done on file-based systems, and SMB3.x supports Hyper-V and SQL Server for such tasks. SOFS is the result of this transformation brought about by the latest protocol, with the added advantages of failover and scalability.

In a typical clustered network scenario, SMB3.0 offers parallel data access to all nodes by publishing file shares using version 2 of clustered shared volumes. Clients can also use the totality of resources available in the form of file server nodes and balance load, thus removing bandwidth restrictions found in single cluster nodes.

Clients running SMB1 protocol are denied access when connecting to a scale-out server system. Those running SMB2.0 can connect to SOFS, but cannot take advantage of the transparent failover feature.

Volume Shadow Copy Service (VSS)

VSS is a service introduced in Windows Server 2003 to improve the reliability of backup and restore operations. At a high-level, VSS allows backups to run while apps continue to write data to volumes. In SMB3, Microsoft added VSS for SMB file shares to further extend VSS functionality with SMB. The enhancements added:

  • A new VSS provider (File Share Shadow Copy Provider)
  • A new VSS requestor (File Share Shadow Copy Agent)
  • A new RPC (remote procedure call) protocol (File Server Remote VSS Protocol)
 

Prior to the VSS upgrades, shadow copies were only supported on local volumes. This limited the use of the service with HyperV hosts and virtual machines. With SMB3 and the VSS improvements, HyperV can provide reliable backup for guest virtual machines.

SMB Protocol Solutions

Visuality Systems Ltd is the world-leading developer and provider of SMB client and server protocol stacks. All Visuality Systems solutions fully comply with the Microsoft SMB specifications and support all SMB dialects, from NTLM 0.12 up to the latest 3.1.1.

Information on the benefits of using a Visuality Systems solution can be found at the YNQ, jNQ and NQ Storage product pages.

We offer an evaluation package to developers who wish to get started by filling this form.

SMB Software Use case Learn more
YNQ
Small footprint non-GPL SMB software for embedded systems.
JNQ
SMB over JAVA solution that fully supports SMB2 and SMB3 (modern JCIFS replacement).
NQ Storage
Robust multi-platform SMB server which can be integrated with any storage solution.

In a recent announcement, Microsoft unveiled significant updates to the Server Message Block (SMB) protocol, a foundational component for file and printer sharing in Windows environments that Visuality Systems integrates into any operating system as if it was native. This development, introduced in Windows 11 Insider preview Build 25992 (Canary), brings two key features to the forefront: support for alternative ports and changes to firewall rules.

SMB Protocol Alternative Ports

Traditionally, SMB servers have relied on the IANA-registered port TCP/445, with limited flexibility. However, with the latest changes, Windows 11 Insider now supports connecting to an SMB server over TCP, QUIC, or RDMA using alternative network ports. This represents a substantial departure from the longstanding hard-coded and unalterable port configurations.

SMB Alternative Ports

Users can now connect to alternative TCP, QUIC, and RDMA ports as long as the SMB server is configured to support the desired port. This can be achieved through mapped drive commands such as NET USE or New-SmbMapping, with future releases promising additional methods like Group Policy, PowerShell, or DNS SRV records. Importantly, administrators have the flexibility to control and even block the use of SMB client alternative ports through Group Policy.

SMB Protocol Firewall Rule Changes

The second major update involves changes to firewall rules associated with the SMB protocol. Previously, creating an SMB share automatically configured the firewall to enable rules in the “File and Printer Sharing” group, a legacy behavior since Windows XP SP2.

SMB Firewall

Now, Windows introduces the “File and Printer Sharing (Restrictive)” group, eliminating inbound NetBIOS ports 137-139. This move enhances default network security and aligns SMB protocol firewall rules more closely with the “File Server” role behavior on Windows Server, minimizing open ports to the essential ones required for sharing.

Visuality Systems’ Integration

Leveraging its long-lasting partnership with Microsoft, Visuality Systems fully supports the alternative ports feature in all its SMB protocol solutions: YNQ, jNQ, NQ Storage and QUIC File Manager, the first SMB over QUIC application running on Android. The multi-platform integration provides users with enhanced flexibility and configurability, especially in scenarios where alternative TCP ports or SMB over QUIC are preferred.

Future Outlook

While the current updates mark a significant stride toward improving Windows and Windows Server security, Microsoft plans to continue enhancing firewall rules. Future updates aim to remove inbound ICMP, LLMNR, and Spooler Service ports, further restricting access to only essential ports required for SMB sharing. This initiative underscores Microsoft’s dedication to fortifying the security posture of its operating systems in response to modern cybersecurity challenges.

SMB sharing

In conclusion, Microsoft’s recent SMB protocol updates signify a pivotal step toward bolstering both connectivity and security within Windows environments. The collaboration with Visuality Systems as a trusted ally ensures seamless integration of alternative ports support beyond Windows, emphasizing the commitment to providing users with adaptable and secure file and printer sharing solutions.

Tal Widerman, CEO, Visuality Systems

Tal Widerman, CEO, Visuality Systems

Share Via
Related Articles
Share Via
Table of Contents

Visuality systems uses technical, analytical, marketing, and other cookies. These files are necessary to ensure smooth operation of Voltabelting.com site and services and help us remember you and your settings. For details, please read our Privacy policy

Skip to content