SMB/File Sharing Guide
SMB Protocol Versions
Server Message Block (SMB) is a network file sharing protocol developed by Microsoft. It allows applications to read and write files and request services from server programs over a network. Understanding version differences is critical for security and performance.
Quick History: SMB was originally developed by IBM in the 1980s, enhanced by Microsoft, and has evolved significantly. CIFS (Common Internet File System) is essentially SMB 1.0 with some extensions.
SMB 1.0
Windows 2000/XP/2003
DEPRECATED - DISABLE- Major security vulnerabilities
- WannaCry/NotPetya target
- No encryption
- Poor performance
SMB 2.0
Vista/Server 2008
- Complete redesign
- Reduced chattiness (19 commands vs 100+)
- Better performance (up to 30x faster)
- Larger buffers (64KB reads/writes)
- Durable file handles
- Improved message compounding
SMB 2.1
Win 7/Server 2008 R2
- Large MTU support
- BranchCache
- Improved leasing
- Energy efficient
SMB 3.0
Win 8/Server 2012
✓ Encryption Support
- End-to-end encryption
- SMB Direct (RDMA)
- SMB Multichannel
- Transparent failover
SMB 3.1.1
Win 10/Server 2016+
✓ RECOMMENDED
- Pre-auth integrity
- AES-128-GCM encryption
- MitM protection
- Modern security
SMB Version Compatibility Matrix
| Windows Version | SMB Versions Supported | Default SMB Version |
|---|---|---|
| Windows 10/11, Server 2016+ | 2.0, 2.1, 3.0, 3.0.2, 3.1.1 | 3.1.1 |
| Windows 8.1, Server 2012 R2 | 2.0, 2.1, 3.0, 3.0.2 | 3.0.2 |
| Windows 8, Server 2012 | 2.0, 2.1, 3.0 | 3.0 |
| Windows 7, Server 2008 R2 | 1.0, 2.0, 2.1 | 2.1 |
| Windows Vista, Server 2008 | 1.0, 2.0 | 2.0 |
Migration Checklist: SMB 1.0 to SMB 3.x
- Audit environment: Identify systems still using SMB 1.0
- Update legacy systems to Windows 10/Server 2016 or later
- Test applications for SMB 3.x compatibility
- Disable SMB 1.0 on servers first, then clients
- Monitor logs for any SMB 1.0 connection attempts
- Document changes and update procedures
# Detect SMB1 usage (run on server)
Get-SmbConnection | Where-Object {$_.Dialect -like "1.0*"}
# Audit SMB1 requests
Set-SmbServerConfiguration -AuditSmb1Access $true
# Check audit results
Get-WinEvent -LogName Microsoft-Windows-SMBServer/Audit
Quick Reference: SMB Commands
| Task | Windows Command | PowerShell |
|---|---|---|
| List shares | net share | Get-SmbShare |
| Create share | net share name=path | New-SmbShare |
| Remove share | net share name /delete | Remove-SmbShare |
| Map drive | net use Z: \\server\share | New-PSDrive |
| View connections | net use | Get-SmbConnection |
| Disconnect drive | net use Z: /delete | Remove-PSDrive |
SMB Feature Evolution Timeline
- 1983: IBM develops SMB for DOS
- 1990s: Microsoft enhances SMB, creates CIFS
- 2006: SMB 2.0 released with Vista
- 2009: SMB 2.1 in Windows 7
- 2012: SMB 3.0 adds encryption
- 2013: SMB 3.0.2 in Windows 8.1
- 2015: SMB 3.1.1 with pre-auth integrity
- 2017: WannaCry highlights SMB 1.0 dangers
- 2020: SMBGhost vulnerability patched
Windows Share Setup
Creating a Share
- Right-click folder → Properties
- Sharing tab → Advanced Sharing
- Check "Share this folder"
- Set share name
- Click Permissions
- Configure access
Permissions Comparison
| Type | Scope | Levels |
|---|---|---|
| Share | Network only | Read, Change, Full |
| NTFS | Local & Network | Full, Modify, R&E, Read, Write |
Rule: Most restrictive wins. Share=Read + NTFS=Full = Read access
Best Practices
- Share: Everyone - Full Control
- NTFS: Actual security control
- Use groups, not users
- Disable SMB 1.0
- Regular audits
PowerShell Commands
# Create a share
New-SmbShare -Name "ShareName" -Path "C:\SharedFolder" -FullAccess "Everyone"
# View existing shares
Get-SmbShare
# Remove a share
Remove-SmbShare -Name "ShareName"
# Set share permissions
Grant-SmbShareAccess -Name "ShareName" -AccountName "DOMAIN\User" -AccessRight Full
# View share access
Get-SmbShareAccess -Name "ShareName"
Permission Examples
| Scenario | Share Permission | NTFS Permission | Effective Result |
|---|---|---|---|
| Example 1 | Read | Full Control | Read |
| Example 2 | Full Control | Modify | Modify |
| Example 3 | Change | Read | Read |
| Best Practice | Full Control | As needed | NTFS controls |
UNC Path Builder
UNC Path:
\\server\share
Map Drive Commands
Windows:
Linux:
UNC Path Examples
| Example | Description |
|---|---|
| \\SERVER\Share | Basic share access |
| \\192.168.1.100\Share | Using IP address |
| \\SERVER.domain.local\Share | Fully qualified domain name |
| \\SERVER\Share\Folder\File.txt | Full path to file |
| \\SERVER\C$ | Administrative share (requires admin rights) |
Special Administrative Shares
- C$, D$, E$ - Drive root shares (admin only)
- ADMIN$ - Windows installation folder
- IPC$ - Inter-process communication
- PRINT$ - Printer drivers
Accessing Hidden Shares
Shares ending with $ are hidden from browse lists but can be accessed directly with the full UNC path.
Drive Mapping Options
| Option | Command Switch | Description |
|---|---|---|
| Persistent | /persistent:yes | Reconnect at every logon |
| Specific User | /user:username | Authenticate as different user |
| Password | password | Provide password (not recommended) |
| Delete Mapping | /delete | Remove mapped drive |
Linux Samba Setup
Installation
# Ubuntu/Debian
sudo apt install samba
# CentOS/RHEL
sudo yum install samba
Basic smb.conf
[global]
workgroup = WORKGROUP
server string = Samba %v
security = user
min protocol = SMB2
[Share]
path = /srv/samba/share
browsable = yes
writable = yes
valid users = @smbgroup
create mask = 0755
User Management
# Add user
sudo adduser smbuser
sudo smbpasswd -a smbuser
# Create group
sudo groupadd smbgroup
sudo usermod -aG smbgroup smbuser
Mount SMB Share
# Install cifs-utils
sudo apt install cifs-utils
# Mount
sudo mount -t cifs //server/share /mnt/point \
-o username=user,password=pass
# /etc/fstab entry
//server/share /mnt/point cifs credentials=/root/.creds,uid=1000 0 0
Samba Service Commands
# Start Samba
sudo systemctl start smbd
sudo systemctl start nmbd
# Stop Samba
sudo systemctl stop smbd
# Restart after config changes
sudo systemctl restart smbd
# Enable at boot
sudo systemctl enable smbd
# Check status
sudo systemctl status smbd
# View active connections
sudo smbstatus
# Test configuration
testparm -s
Troubleshooting Samba
- Check logs: /var/log/samba/
- Verify firewall allows ports 139, 445
- Test config: testparm
- Check SELinux if enabled
- Verify user exists: pdbedit -L
Advanced smb.conf Options
[global]
# Performance tuning
socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536
read raw = yes
write raw = yes
max xmit = 65535
# Security hardening
restrict anonymous = 2
null passwords = no
obey pam restrictions = yes
unix password sync = yes
# Logging
log file = /var/log/samba/%m.log
log level = 1
SMB Ports & Security
445
SMB Direct (TCP)
Primary port for modern SMB (2.0+). Direct TCP without NetBIOS.
Never expose to internet!
139
SMB over NetBIOS (TCP)
Legacy port for SMB 1.0. Can be disabled in modern networks.
137, 138
NetBIOS Services (UDP)
Name resolution and datagrams. Legacy services.
Security Commands
# Disable SMB1
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
# Enable encryption
Set-SmbShare -Name "Share" -EncryptData $true
# Enable signing
Set-SmbServerConfiguration -RequireSecuritySignature $true
Best Practices
- Use SMB 3.1.1 minimum
- Enable encryption
- Require signing
- Use VPN for remote
- Block port 445 from internet
Network Isolation
CRITICAL: SMB should never be exposed to the internet. Use VPN, ZeroTier, or Tailscale for remote access.
Checking SMB Configuration
# Check SMB version in use
Get-SmbConnection | Select ServerName, Dialect, Encrypted
# View server configuration
Get-SmbServerConfiguration | Select *
# Check if SMB1 is enabled (should be False)
Get-WindowsOptionalFeature -Online | Where-Object {$_.FeatureName -like "*SMB*"}
# View shares and their encryption status
Get-SmbShare | Select Name, EncryptData, Path
Security Audit Checklist
- SMB 1.0 disabled on all systems
- Encryption enabled for sensitive shares
- Signing required on domain controllers
- Firewall blocking external SMB access
- Regular permission audits
- Guest access disabled
- Strong password policy enforced
- Network segmentation implemented
Performance Tuning
# Enable SMB Direct (RDMA)
Set-SmbServerConfiguration -EnableSMBDirect $true
# Configure receive buffer size
Set-SmbServerConfiguration -MaxChannelPerSession 32
# Enable bandwidth management
Set-SmbBandwidthLimit -Category Default -BytesPerSecond 100MB
# Optimize for large file transfers
Set-SmbServerConfiguration -AsynchronousCredits 512
Notable SMB Vulnerabilities
| Vulnerability | CVE | Impact | Mitigation |
|---|---|---|---|
| EternalBlue | CVE-2017-0144 | Remote code execution (WannaCry) | Disable SMB1, patch systems |
| SMBGhost | CVE-2020-0796 | SMB 3.1.1 compression flaw | Apply KB4551762 patch |
| SambaCry | CVE-2017-7494 | Remote code execution (Samba) | Update Samba to 4.6.4+ |
SMB Hardening Best Practices
- Implement network segmentation (VLANs)
- Use IPsec for additional encryption layer
- Enable Windows Defender Firewall
- Restrict anonymous access
- Use service accounts with minimal privileges
- Implement file screening (FSRM)
- Regular security audits and penetration testing
- Monitor SMB traffic with IDS/IPS
Troubleshooting
Access Denied
- Check Share permissions
- Verify NTFS permissions
- Confirm user group membership
- Test credentials
# Check permissions
Get-SmbShare -Name "Share" | Get-SmbShareAccess
Get-Acl "C:\Share" | Format-List
Network Discovery Issues
- Enable Network Discovery
- Start Function Discovery services
- Check firewall rules
- Set network to Private
# Enable discovery
Get-NetFirewallRule -DisplayGroup "Network Discovery" | Enable-NetFirewallRule
Can't Map Drive
- Ping server
- Test port 445
- Verify share name
- Clear cached credentials
# Test connectivity
Test-NetConnection server -Port 445
# Clear credentials
cmdkey /delete:server
Slow Transfers
- Enable SMB Multichannel
- Check network speed
- Disable antivirus scanning
- Ensure not using SMB 1.0
# Check SMB version
Get-SmbConnection | Select ServerName,Dialect
# Enable Multichannel
Set-SmbServerConfiguration -EnableMultiChannel $true
# Check bandwidth
Get-SmbBandwidthLimit
Error 0x80070035 - Network Path Not Found
- Verify computer name/IP is correct
- Check network connectivity (ping)
- Ensure share exists on target
- Verify DNS resolution
- Check Windows Firewall settings
Error 0x80004005 - Unspecified Error
- Often caused by SMB 1.0 dependencies
- Check SMB version compatibility
- Verify network discovery enabled
- Reset TCP/IP stack if needed
# Reset network
netsh int ip reset
netsh winsock reset
ipconfig /flushdns
Common Log Locations
- Windows: Event Viewer → Applications and Services → Microsoft → Windows → SMBServer
- Linux: /var/log/samba/log.smbd
- macOS: /var/log/system.log
Advanced Troubleshooting Tools
# Capture SMB traffic
netsh trace start capture=yes tracefile=smb.etl
# Stop capture
netsh trace stop
# View SMB sessions
Get-SmbSession | Format-Table
# Clear SMB cache
Get-SmbConnection | Close-SmbSession
# Reset SMB configuration
Reset-SmbServerConfiguration
Performance Diagnostics
# Check SMB statistics
Get-SmbServerNetworkInterface
# Monitor throughput
Get-SmbConnection | Select ServerName, Dialect, NumOpens
# View open files
Get-SmbOpenFile | Select Path, ClientComputerName, SessionId
Troubleshooting Flowchart
- Can you ping the server? NO → Check network connectivity
- Is port 445 open? NO → Check firewall settings
- Can you resolve the server name? NO → Check DNS or use IP
- Do you have correct credentials? NO → Verify username/password
- Are permissions correct? NO → Check Share and NTFS permissions
- Is SMB version compatible? NO → Update client or server
- Still not working? → Check event logs and enable debug logging