Server Message Block (SMB) is a client-server protocol that provides access to resources such as files, printers and serial interfaces, and facilitates communication between network processes. SMB clients can communicate with any software that is configured to receive SMB requests over TCP/IP or NetBIOS.
With SMB, you can mount a shared file folder directly on a local Windows or MacOS machine, or in a cloud virtual machine. Modern versions of SMB provide security features such as AES-based data encryption.
SMB was formerly known as CIFS (Common Internet File System)—this is an old version of the SMB protocol which was decommissioned because it was inefficient and had severe security flaws.
This is part of our series of articles about Azure NetApp Files, a file sharing service on the Microsoft Azure cloud, and related technologies.
The SMB protocol enables applications or users to access files and other resources on a remote server. These resources can include file folders, printers, mailboxes, etc. It allows client applications to open, read, transfer, and update files on the remote server. It also allows communication between the client and any server program configured to SMB requests.
The SMB protocol operates in “request-response” mode—several messages are sent between the client and the server to establish a connection.
Major versions of SMB are:
Common Internet File System (CIFS) / SMB1—a protocol that was extremely chatty and slowed down WANs due to the extra load it created. It also suffered from major security vulnerabilities.
SMB 2.0—improved on CIFS and reduced chattiness by reducing the number of protocol commands from hundreds to under 20, and added support for symbolic links. Also resolved critical security issues.
SMB 3.0—an improved version of the protocol which provided features like SMB Direct, SMB Transparent Failover, and important security features including AES encryption.
Older versions of SMB used legacy protocols like IPE or NetBEUI. Modern SMB software and devices commonly communicate directly over TCP/IP, or if this is not supported, via NetBIOS over TCP/IP. Clients and servers can implement different versions of SMB, and negotiate versions and capabilities before connecting.
Operating systems that support SMB include:
Microsoft Windows—all versions since Windows 95
MacOS—starting from MacOS X Lion
Free and open source implementations of SMB include:
FreeBSD—based on an SMB client implementation called smbfs
Samba—a server that implements the SMB protocol and Microsoft extensions
Windows Server 2012 R2, Windows Server 2012, and Windows Server 2016 include a feature called SMB Direct, which supports Remote Direct Memory Access (RDMA) network adapters. RDMA-compatible network cards provide high performance with very low latency and low use of CPU resources.
To use SMB Direct, the following conditions must be met:
Connection is between two or more computers are running Windows Server 2012 R2, Windows Server 2012 or later
One or more of the computers are equipped with RDMA-compatible network adapters
Points to Consider When Using SMB Direct
When using SMB Direct in a failover scenario, ensure that the cluster network provides sufficient performance for SMB Direct, and that all cluster nodes have Receive Side Scaling (RSS) and RDMA network adapters.
SMB Multichannel checks the network adapter capabilities of connection partners. You must enable SMB Multichannel to use SMB Direct.
SMB Security Threats
Some of the most destructive ransomware and Trojan attacks in history were based on SMB protocol vulnerabilities, which allowed them to spread in company networks and around the world. Below are a few notable examples.
In 2017, a serious vulnerability called EternalBlue was found in SMB Version 1 (SMBv1). The vulnerability allowed an attacker to install malware on any computer running SMB1, without any action required by the user. Microsoft released an emergency patch (MS17-010) for this vulnerability that covered all supported Windows versions.
WannaCry was an attack that leveraged the EternalBlue vulnerability. It spread very quickly, destroying compromised systems. If SMB1 is enabled on a system, WannaCry can use it without any user intervention, install ransomware payloads, and then scan and infect other SMB1 compatible systems connected to the infected system.
WannaCry caused significant damage for governments, institutions and companies from the medical, automotive, communications, transportation and other industries. Microsoft took an unprecedented action and provided fixes for end-of-life versions of Windows, including Windows XP.
Nyetya was originally conceived as a supply chain attack, and was also distributed via EternalBlue. It also took advantage of another SMB vulnerability called EternalRomance, which was very effective in old Windows versions. Nyetya appeared to be Ransomware, but in fact it was wipeware. It displayed a Ransomware message, but users couldn't pay, and all data on infected systems was lost.
There are additional scenarios in which attackers leverage the SMB protocol, even without relying on a vulnerability. Threats like Bad Rabbit, Olympic Destroyer and SamSam used various methods to gain access to a network, and once inside, used SMB to gain access to sensitive systems. In other cases, attackers conducted brute force attacks on SMB shares, trying a large number of passwords until they gained access to sensitive data.
SMB Security Features
As a response to SMB security vulnerabilities and widespread attacks, Microsoft introduced several important security features.
Provides end-to-end encryption of all data transmitted over SMB, preventing interception of communications on unsecured networks. SMB encryption does not require IPsec or WAN acceleration to operate. It can be configured on a specific file share or a full file server. SMB encryption is an important measure for protecting sensitive data and preventing man in the middle attack.
Secure Dialect Negotiation
SMB 3.0 can detect attacks that attempt to downgrade the protocol from 3.0 to 2.0, or remove essential security capabilities. When a client or server detects such an attack, the connection is terminated and a security event is recorded in the event log.
However, secure language negotiation cannot detect or prevent a downgrade to SMB 1.0. This is why it is essential to disable SMB 1.0 server, which has critical security flaws, on any legacy system that still supports it (in particular old versions of Windows).
New Signing Algorithm
SMB 3.0 uses modern cryptographic algorithms for signing, in particular AES-CMAC and AES-CCM. These modern algorithms can significantly accelerate encryption on modern CPUs. SMB 2.0 also supports encryption, but using the older HMAC-SHA256 algorithm.
SMB File Sharing in the Cloud with Azure NetApp Files
Azure NetApp Files is a file sharing technology from Microsoft Azure built on NetApp technology, giving you enterprise file sharing capabilities with full SMB protocol support.
Get enterprise-grade data management and storage to Azure so you can manage your workloads and applications with ease, and move all of your file-based applications to the cloud.
Azure NetApp Files solves availability and performance challenges for enterprises that want to move mission-critical applications to the cloud, including workloads like HPC, SAP, Linux, Oracle and SQL Server workloads, Windows Virtual Desktop, and more.