Server Message Block


In computer networking, Server Message Block, one version of which was also known as Common Internet File System, is a network communication protocol for providing shared access to files, printers, and serial ports between nodes on a network. It also provides an authenticated inter-process communication mechanism. Most usage of SMB involves computers running Microsoft Windows, where it was known as "Microsoft Windows Network" before the introduction of Active Directory. Corresponding Windows services are LAN Manager Server for the server component, and LAN Manager Workstation for the client component.

Features

Server Message Block provides file sharing, network browsing, printing services, and interprocess communication over a network.
The SMB protocol relies on lower-level protocols for transport.
The Microsoft SMB protocol was often used with NetBIOS over TCP/IP over UDP, using port numbers 137 and 138, and TCP port numbers 137 and 139.
NBT for use by NetBIOS is supported on Windows Server 2003, Windows XP, Windows 2000, Windows NT, and Windows Me/98/95.
NetBIOS is not supported on Windows Vista, Windows Server 2008, and subsequent versions of Windows.  SMB/NBT combination is generally used for backward compatibility.
The NetBIOS over NetBEUI protocol provides NetBIOS support for the NetBEUI protocol. This protocol is also called NetBIOS Frames. NBF is supported on Windows 2000, Windows NT, and Windows Me/98/95. NetBEUI is no longer supported on Windows XP and later. However, SMB Protocol can also be used without a separate transport protocol directly over TCP, port 445. NetBIOS was also supported over several legacy protocols such as IPX/SPX.
The SMB Inter-Process Communication system provides named pipes and was one of the first inter-process mechanisms commonly available to programmers that provides a means for services to inherit the authentication carried out when a client first connects to an SMB server.
Some services that operate over named pipes, such as those which use Microsoft's own implementation of DCE/RPC over SMB, known as MSRPC over SMB, also allow MSRPC client programs to perform authentication, which overrides the authorization provided by the SMB server, but only in the context of the MSRPC client program that successfully makes the additional authentication.
SMB signing: Windows NT 4.0 Service Pack 3 and upwards have the capability to use cryptography to digitally sign SMB connections. The most common official term is "SMB signing". Other terms that have been used officially are " Security Signatures", "SMB sequence numbers" and "SMB Message Signing". SMB signing may be configured individually for incoming SMB connections and outgoing SMB connections. The default setting from Windows 98 and upwards is to opportunistically sign outgoing connections whenever the server also supports this, and to fall back to unsigned SMB if both partners allow this. The default setting for Windows domain controllers from Windows Server 2003 and upwards is to not allow fall back for incoming connections. The feature can also be turned on for any server running Windows NT 4.0 Service Pack 3 or later. This protects from man-in-the-middle attacks against the Clients retrieving their policies from domain controllers at login.
SMB supports opportunistic locking—a special type of locking-mechanism—on files in order to improve performance.
SMB serves as the basis for Microsoft's Distributed File System implementation.

History

SMB / CIFS / SMB1

originally designed SMB at IBM in early 1983 with the aim of turning DOS INT 21h local file access into a networked file system. Microsoft has made considerable modifications to the most commonly used version. Microsoft merged the SMB protocol with the LAN Manager product which it had started developing for OS/2 with 3Com around 1990, and continued to add features to the protocol in Windows for Workgroups and in later versions of Windows.
SMB was originally designed to run on top of the NetBIOS/NetBEUI API. Since Windows 2000, SMB runs, by default, with a thin layer, similar to the Session Message packet of NBT's Session Service, on top of TCP, using TCP port 445 rather than TCP port 139—a feature known as "direct host SMB".
Windows Server 2003, and older NAS devices use SMB1/CIFS natively. SMB1/CIFS is an extremely chatty protocol, in that it makes inefficient use of networking resources, particularly when transported over expensive WAN links. While Microsoft estimates that SMB1/CIFS comprises less than 10% of network traffic in the average Enterprise network, that is still a significant amount of traffic. One approach to mitigating the inefficiencies in the protocol is to use WAN Acceleration products such as those provided by Riverbed, Silver Peak, or Cisco Systems. A better approach is simply to eliminate SMB1/CIFS by upgrading the server infrastructure that uses it. This includes both NAS devices as well as Windows Server 2003. The most effective method in use currently to identify SMB1/CIFS traffic is to use a network analyzer tool such as Wireshark, etc., to identify SMB1/CIFS "talkers" and then decommission or upgrade them over time. Microsoft also provides an auditing tool in Windows Server 2016, which can be used to track down SMB1/CIFS talkers.
In 1996, when Sun Microsystems announced WebNFS, Microsoft launched an initiative to rename SMB to Common Internet File System and added more features, including support for symbolic links, hard links, larger file sizes, and an initial attempt at supporting direct connections over TCP port 445 without requiring NetBIOS as a transport. Microsoft submitted some partial specifications as Internet-Drafts to the IETF, though these submissions have expired.
Microsoft "added SMB1 to the Windows Server 2012 R2 deprecation list in June 2013." Windows Server 2016 and some versions of Windows 10 Fall Creators Update do not have SMB1 installed by default.

SMB 2.0

Microsoft introduced a new version of the protocol with Windows Vista in 2006 and Server 2008. Although the protocol is proprietary, its specification has been published to allow other systems to interoperate with Microsoft operating systems that use the new protocol.
SMB2 reduces the 'chattiness' of the SMB 1.0 protocol by reducing the number of commands and subcommands from over a hundred to just nineteen. It has mechanisms for pipelining, that is, sending additional requests before the response to a previous request arrives, thereby improving performance over high latency links. It adds the ability to compound multiple actions into a single request, which significantly reduces the number of round-trips the client needs to make to the server, improving performance as a result. SMB1 also has a compounding mechanism—known as AndX—to compound multiple actions, but Microsoft clients rarely use AndX. It also introduces the notion of "durable file handles": these allow a connection to an SMB server to survive brief network outages, as are typical in a wireless network, without having to incur the overhead of re-negotiating a new session.
SMB2 includes support for symbolic links. Other improvements include caching of file properties, improved message signing with HMAC SHA-256 hashing algorithm and better scalability by increasing the number of users, shares and open files per server among others. The SMB1 protocol uses 16-bit data sizes, which amongst other things, limits the maximum block size to 64K. SMB2 uses 32 or 64-bit wide storage fields, and 128 bits in the case of file-handles, thereby removing previous constraints on block sizes, which improves performance with large file transfers over fast networks.
Windows Vista/Server 2008 and later operating systems use SMB2 when communicating with other machines also capable of using SMB2. SMB1 continues in use for connections with older versions of Windows, as well various vendors' NAS solutions. Samba 3.5 also includes experimental support for SMB2. Samba 3.6 fully supports SMB2, except the modification of user quotas using the Windows quota management tools.
When SMB2 was introduced it brought a number of benefits over SMB1 for third party implementers of SMB protocols. SMB1, originally designed by IBM, was reverse engineered, and later became part of a wide variety of non-Windows operating systems such as Xenix, OS/2 and VMS. X/Open standardized it partially; it also had draft IETF standards which lapsed. SMB2 is also a relatively clean break with the past. Microsoft's SMB1 code has to work with a large variety of SMB clients and servers. SMB1 features many versions of information for commands because features such as Unicode support were retro-fitted at a later date. SMB2 involves significantly reduced compatibility-testing for implementers of the protocol. SMB2 code has considerably less complexity since far less variability exists.
Apple is also migrating to SMB2 with OS X 10.9. This transition was fraught with compatibility problems though. Non-default support for SMB2 appeared in fact in OS X 10.7, when Apple abandoned Samba in favor of its own SMB implementation called SMBX. Apple switched to its own SMBX implementation after Samba adopted GPLv3.
The Linux kernel's CIFS client file system has SMB2 support since version 3.7.

SMB 2.1

SMB 2.1, introduced with Windows 7 and Server 2008 R2, introduced minor performance enhancements with a new opportunistic locking mechanism.

SMB 3.0

SMB 3.0 was introduced with Windows 8 and Windows Server 2012. It brought several significant changes that are intended to add functionality and improve SMB2 performance, notably in virtualized data centers:
It also introduces several security enhancements, such as end-to-end encryption and a new AES based signing algorithm.

SMB 3.0.2

SMB 3.0.2 was introduced with Windows 8.1 and Windows Server 2012 R2; in those and later releases, the earlier SMB version 1 can be optionally disabled to increase security.

SMB 3.1.1

SMB 3.1.1 was introduced with Windows 10 and Windows Server 2016. This version supports AES-128 GCM encryption in addition to AES-128 CCM encryption added in SMB3, and implements pre-authentication integrity check using SHA-512 hash. SMB 3.1.1 also makes secure negotiation mandatory when connecting to clients using SMB 2.x and higher.

Implementation

General issues

SMB works through a client-server approach, where a client makes specific requests and the server responds accordingly. One section of the SMB protocol specifically deals with access to filesystems, such that clients may make requests to a file server; but some other sections of the SMB protocol specialize in inter-process communication. The Inter-Process Communication share, or ipc$, is a network share on computers running Microsoft Windows. This virtual share is used to facilitate communication between processes and computers over SMB, often to exchange data between computers that have been authenticated.
Developers have optimized the SMB protocol for local subnet usage, but users have also put SMB to work to access different subnets across the Internet—exploits involving file-sharing or print-sharing in MS Windows environments usually focus on such usage.
SMB servers make their file systems and other resources available to clients on the network. Client computers may want access to the shared file systems and printers on the server, and in this primary functionality SMB has become best-known and most heavily used. However, the SMB file-server aspect would count for little without the NT domains suite of protocols, which provide NT-style domain-based authentication at the very least. Almost all implementations of SMB servers use NT Domain authentication to validate user-access to resources.
Performance issues
The use of the SMB protocol has often correlated with a significant increase in broadcast traffic on a network. However the SMB itself does not use broadcasts—the broadcast problems commonly associated with SMB actually originate with the NetBIOS service location protocol. By default, a Microsoft Windows NT 4.0 server used NetBIOS to advertise and locate services. NetBIOS functions by broadcasting services available on a particular host at regular intervals. While this usually makes for an acceptable default in a network with a smaller number of hosts, increased broadcast traffic can cause problems as the number of hosts on the network increases. The implementation of name resolution infrastructure in the form of Windows Internet Naming Service or Domain Name System resolves this problem. WINS was a proprietary implementation used with Windows NT 4.0 networks, but brought about its own issues and complexities in the design and maintenance of a Microsoft network.
Since the release of Windows 2000, the use of WINS for name resolution has been deprecated by Microsoft, with hierarchical Dynamic DNS now configured as the default name resolution protocol for all Windows operating systems. Resolution of NetBIOS names by DNS requires that a DNS client expand short names, usually by appending a connection-specific DNS suffix to its DNS lookup queries. WINS can still be configured on clients as a secondary name resolution protocol for interoperability with legacy Windows environments and applications. Further, Microsoft DNS servers can forward name resolution requests to legacy WINS servers in order to support name resolution integration with legacy environments that do not support DNS.
Network designers have found that latency has a significant impact on the performance of the SMB 1.0 protocol, that it performs more poorly than other protocols like FTP. Monitoring reveals a high degree of "chattiness" and a disregard of network latency between hosts. For example, a VPN connection over the Internet will often introduce network latency. Microsoft has explained that performance issues come about primarily because SMB 1.0 is a block-level rather than a streaming protocol, that was originally designed for small LANs; it has a block size that is limited to 64K, SMB signing creates an additional overhead and the TCP window size is not optimized for WAN links. Solutions to this problem include the updated SMB 2.0 protocol, Offline Files, TCP window scaling and WAN acceleration devices from various network vendors that cache and optimize SMB 1.0 and 2.0.
Microsoft's modifications
Microsoft added several extensions to its own SMB implementation. For example, it added NTLM, followed by NTLMv2 authentication protocols, in order to address security weakness in the original LAN Manager authentication. LAN Manager authentication was implemented based on the original legacy SMB specification's requirement to use IBM "LAN Manager" passwords, but implemented DES in a flawed manner that allowed passwords to be cracked. Later, Kerberos authentication was also added. The NT 4.0 Domain logon protocols initially used 40-bit encryption outside of the United States, because of export restrictions on stronger 128-bit encryption. Opportunistic locking support has changed with each server release.

Samba

In 1991 Andrew Tridgell started the development of Samba, a free-software re-implementation of the SMB/CIFS networking protocol for Unix-like systems, initially to implement an SMB server to allow PC clients running the DEC Pathworks client to access files on SunOS machines. Because of the importance of the SMB protocol in interacting with the widespread Microsoft Windows platform, Samba became a popular free software implementation of a compatible SMB client and server to allow non-Windows operating systems, such as Unix-like operating systems, to interoperate with Windows.
As of version 3, Samba provides file and print services for Microsoft Windows clients and can integrate with a Windows NT 4.0 server domain, either as a Primary Domain Controller or as a domain member. Samba4 installations can act as an Active Directory domain controller or member server, at Windows 2008 domain and forest functional levels.
Package managers in Linux distributions can search for the cifs-utils package. The package is from the Samba maintainers.

Netsmb

NSMB is a family of in-kernel SMB client and server implementations in BSD operating systems. It was first contributed to FreeBSD 4.4 by Boris Popov, and is now found in a wide range of other BSD systems including NetBSD and macOS. The implementations have diverged significantly ever since.
The macOS version of NSMB is notable for its now-common scheme of representing symlinks. This "Minshall-French" format shows symlinks as textual files with a extension and a magic number, always 1067 bytes long. This format is also used for storing symlinks on naive SMB servers or unsupported filesystems. Samba supports this format with an option. Docker on Windows also seems to use it.

NQ

NQ is a family of portable SMB client and server implementations developed by , an Israel-based company established in 1998 by Sam Widerman, formerly the CEO of Siemens Data Communications. The NQ family comprises an embedded SMB stack, a Pure Java SMB Client and a storage SMB Server implementation. All of them support the latest SMB 3.1.1 dialect. NQ is portable to non-Windows platforms such as Linux, iOS, Android, as well as to VxWorks, Integrity, and other real-time operating systems.

MoSMB

MoSMB is a proprietary SMB implementation for Linux and other Unix-like systems, developed by Ryussi Technologies. It supports only SMB 2.x and SMB 3.x.

Tuxera SMB

Tuxera SMB is a proprietary SMB server implementation developed by Tuxera that can be run either in kernel or user space. It supports SMB 3.1.1 and previous versions.

Likewise

Likewise developed a CIFS/SMB implementation back in 2009 that provided a multiprotocol, identity-aware platform for network access to files used in OEM storage products built on Linux/Unix based devices. The platform could be used for traditional NAS, Cloud Gateway, and Cloud Caching devices for providing secure access to files across a network. Likewise was purchased by EMC Isilon in 2012.

CIFSD

is an open source In-kernel CIFS/SMB server implementation for Linux kernel. It has the following advantages over user-space implementations: It provides better performance, and it's easier to implement some features like SMB Direct. It supports SMB 3.1.1 and previous versions.

Opportunistic locking

In the SMB protocol, opportunistic locking is a mechanism designed to improve performance by controlling caching of network files by the client. Unlike traditional locks, OpLocks are not strictly file locking or used to provide mutual exclusion.
There are four types of opportunistic locks:
; Batch Locks: Batch OpLocks were created originally to support a particular behavior of DOS batch file execution operation in which the file is opened and closed many times in a short period, which is a performance problem. To solve this, a client may ask for an OpLock of type "batch". In this case, the client delays sending the close request and if a subsequent open request is given, the two requests cancel each other.
; Level 1 OpLocks / Exclusive Locks: When an application opens in "shared mode" a file hosted on an SMB server which is not opened by any other process the client receives an exclusive OpLock from the server. This means that the client may now assume that it is the only process with access to this particular file, and the client may now cache all changes to the file before committing it to the server. This is a performance improvement, since fewer round-trips are required in order to read and write to the file. If another client/process tries to open the same file, the server sends a message to the client which invalidates the exclusive lock previously given to the client. The client then flushes all changes to the file.
; Level 2 OpLocks: If an exclusive OpLock is held by a client and a locked file is opened by a third party, the client has to relinquish its exclusive OpLock to allow the other client's write/read access. A client may then receive a "Level 2 OpLock" from the server. A Level 2 OpLock allows the caching of read requests but excludes write caching.
; Filter OpLocks: Added in NT 4.0, Filter Oplocks are similar to Level 2 OpLocks but prevent sharing-mode violations between file open and lock reception. Microsoft advises use of Filter OpLocks only where it is important to allow multiple readers and Level 2 OpLocks in other circumstances.
Clients holding an OpLock do not really hold a lock on the file, instead they are notified via a break when another client wants to access the file in a way inconsistent with their lock. The other client's request is held up while the break is being processed.
; Breaks: In contrast with the SMB protocol's "standard" behavior, a break request may be sent from server to client. It informs the client that an OpLock is no longer valid. This happens, for example, when another client wishes to open a file in a way that invalidates the OpLock. The first client is then sent an OpLock break and required to send all its local changes, if any, and acknowledge the OpLock break. Upon this acknowledgment the server can reply to the second client in a consistent manner.

Security

Over the years, there have been many security vulnerabilities in Microsoft's implementation of the protocol or components on which it directly relies. Other vendors' security vulnerabilities lie primarily in a lack of support for newer authentication protocols like NTLMv2 and Kerberos in favor of protocols like NTLMv1, LanMan, or plaintext passwords. Real-time attack tracking shows that SMB is one of the primary attack vectors for intrusion attempts, for example the 2014 Sony Pictures attack, and the WannaCry ransomware attack of 2017.In 2020, two SMB high-severity vulnerabilities were disclosed and dubbed as SMBGhost and , which when chained together can provide RCE privilege to the attacker.

Specifications

The specifications for the SMB are proprietary and were originally closed, thereby forcing other vendors and projects to reverse-engineer the protocol in order to interoperate with it. The SMB 1.0 protocol was eventually published some time after it was reverse engineered, whereas the SMB 2.0 protocol was made available from Microsoft's MSDN Open Specifications Developer Center from the outset. There are a number of specifications that are relevant to the SMB protocol: