Introduction
Microsoft continues to enhance the security and flexibility of the SMB protocol as part of its Secure Future Initiative (SFI). One of the latest improvements is the introduction of alternative ports for SMB, allowing administrators to configure SMB traffic over ports other than the traditional defaults. This feature enhances security by providing more control over inbound SMB connections and reducing reliance on well-known ports targeted by attackers. Learn more about SMB alternative ports in our video tutorial.
What Are Alternative Ports?
Service names and port numbers help distinguish different services running over transport protocols. By default, SMB operates on specific IANA/IETF-assigned ports:
- TCP: 445
- QUIC: 443
- RDMA: 5445
With the introduction of alternative ports, administrators can assign any port number between 0 and 65536, allowing for more flexibility in network configurations.
Before SMB Alt Ports Were Introduced
Previously, SMB clients could only establish inbound connections using the default ports assigned for each transport type. This meant that any client with access to these ports could attempt to connect, as long as it trusted the server’s certificate.
After SMB Alt Ports Were Introduced
Now, administrators can configure SMB inbound connections on any designated port, enhancing control over how and where connections are established. Moreover, client-side restrictions can be enforced to block alternative ports and limit connectivity to specific, pre-approved servers.
Configuring SMB Alt Ports with PowerShell
Windows Server now provides PowerShell commands to define and manage alternative ports for SMB. Below are key commands to configure alternative ports:
Listing Available Alternative Ports
To see which alternative ports are already configured on your SMB server, run:
\> Get-SmbServerAlternativePort
Example Output:
Port TransportType EnableInstances
—- ————- —————
443 Quic Default
445 Tcp Enabled
Mapping an Alternative Port for an SMB Client
To establish an SMB client connection using an alternative port, use:
\> New-SmbMapping -LocalPath <drive letter>: -RemotePath \\server\share -TcpPort <port number>
This allows clients to connect to an SMB share over a non-default port.
Adding, Removing, and Updating Alternative Ports
To configure an alternative SMB port for QUIC, use:
\> New-SmbServerAlternativePort -TransportType Quic -Port <NewPortNumber> -EnableInstances Default
To remove an alternative SMB port:
\> Remove-SmbServerAlternativePort -TransportType Quic -Port <OldPortNumber>
To modify an existing port assignment:
\> Set-SmbServerAlternativePort -TransportType Quic -OldPort <OldPortNumber> -NewPort <NewPortNumber>
Best Practices & Common Pitfalls
When configuring SMB alternative ports, follow these best practices to ensure security and functionality:
✅ Best Practices
- Assign unique ports for different transport types to avoid conflicts.
- Verify connectivity after modifying port settings to confirm functionality.
❌ Pitfalls to Avoid
- Relying on default settings without considering security risks.
- Assuming compatibility without testing the new configuration.
Conclusion
The introduction of alternative ports for SMB is a crucial step in Microsoft’s Secure Future Initiative, offering administrators more control over network security and access management. Visuality Systems, the SMB protocol experts, ensure that our solutions align with Microsoft’s latest SMB security advancements, including SMB signing, SMB over QUIC, and NTLM blocking. If you need more information, consultation, or a trial of our solutions, contact us today!
Raphael Barki, Head of Marketing, Visuality Systems
