Server Message Block
Server Message Block (SMB) is a communication protocol[1] used to share files, printers, serial ports, and miscellaneous communications between nodes on a network. On Microsoft Windows, the SMB implementation consists of two vaguely named Windows services: "Server" (ID: LanmanServer) and "Workstation" (ID: LanmanWorkstation).[2] It uses NTLM or Kerberos protocols for user authentication. It also provides an authenticated inter-process communication (IPC) mechanism.
SMB was originally developed in 1983 by Barry A. Feigenbaum at IBM[3] to share access to files and printers across a network of systems running IBM's OS/2. In 1987, Microsoft and 3Com implemented SMB in LAN Manager for OS/2, at which time SMB used the NetBIOS service atop the NetBIOS Frames protocol as its underlying transport. Later, Microsoft implemented SMB in Windows NT 3.1 and has been updating it ever since, adapting it to work with newer underlying transports: TCP/IP and NetBT. SMB over QUIC was introduced in Windows Server 2022.
In 1996, Microsoft published a version of SMB 1.0[4] with minor modifications under the Common Internet File System (CIFS /sɪfs/) moniker. CIFS was compatible with even the earliest incarnation of SMB, including LAN Manager's.[4] It supports symbolic links, hard links, and larger file size, but none of the features of SMB 2.0 and later.[4][5] Microsoft's proposal, however, remained an Internet Draft and never achieved standard status.[6] Microsoft has since discontinued the CIFS moniker but continues developing SMB and publishing subsequent specifications. Samba is a free software reimplementation of the SMB protocol and the Microsoft extensions to it.
History[edit]
SMB 1.0[edit]
Barry Feigenbaum originally designed SMB at IBM in early 1983 with the aim of turning DOS INT 21h local file access into a networked file system.[3] Microsoft made considerable modifications to the most commonly used version and included SMB support in the LAN Manager operating system it had started developing for OS/2 with 3Com around 1990.[18][19][20] Microsoft continued to add features to the protocol in Windows for Workgroups (c. 1992) and in later versions of Windows. LAN Manager authentication was implemented based on the original legacy SMB specification's requirement to use IBM "LAN Manager" passwords, but implemented DES in a flawed manner that allowed passwords to be cracked.[21] Later, Kerberos authentication was also added. The Windows domain logon protocols initially used 40-bit encryption outside of the United States, because of export restrictions on stronger 128-bit encryption[22] (subsequently lifted in 1996 when President Bill Clinton signed Executive Order 13026[23]).
SMB 1.0 (or SMB1) was originally designed to run on NetBIOS Frames (NetBIOS over IEEE 802.2). Since then, it has been adapted to NetBIOS over IPX/SPX (NBX), and NetBIOS over TCP/IP (NetBT). Also, since Windows 2000, SMB runs on TCP using TCP port 445, a feature known as "direct host SMB".[24] There is still a thin layer (similar to the Session Message packet of NetBT's Session Service) between SMB and TCP.[24] Windows Server 2003, and legacy NAS devices use SMB1 natively.
SMB1 is an extremely chatty protocol, which is not such an issue on a local area network (LAN) with low latency. It becomes very slow on wide area networks (WAN) as the back and forth handshake of the protocol magnifies the inherent high latency of such a network. Later versions of the protocol reduced the high number of handshake exchanges. One approach to mitigating the inefficiencies in the protocol is to use WAN optimization products such as those provided by Riverbed, Silver Peak, or Cisco. A better approach is to upgrade to a later version of SMB. This includes upgrading both NAS devices as well as Windows Server 2003. The most effective method to identify SMB1 traffic is with a network analyzer tool, such as Wireshark. Microsoft also provides an auditing tool in Windows Server 2016 to track down devices that use SMB1.[25]
Microsoft has marked SMB1 as deprecated in June 2013.[26] Windows Server 2016 and Windows 10 version 1709 do not have SMB1 installed by default.[27]
CIFS[edit]
In 1996, when Sun Microsystems announced WebNFS,[28] Microsoft launched an initiative to rename SMB to Common Internet File System (CIFS)[3] and added more features, including support for symbolic links, hard links, larger file sizes, and an initial attempt at supporting direct connections over TCP port 445 without requiring NetBIOS as a transport (a largely experimental effort that required further refinement). Microsoft submitted some partial specifications as Internet Drafts to the IETF.[6] These submissions have since expired.
SMB 2.0[edit]
Microsoft introduced a new version of the protocol (SMB 2.0 or SMB2) in 2006 with Windows Vista and Windows Server 2008.[29] Although the protocol is proprietary, its specification has been published to allow other systems to interoperate with Microsoft operating systems that use the new protocol.[30]
SMB2 reduces the 'chattiness' of the SMB 1.0 protocol by reducing the number of commands and subcommands from over a hundred to just nineteen.[13] It has mechanisms for pipelining, that is, sending additional requests before the response to a previous request arrives, thereby improving performance over high-latency links. It adds the ability to compound multiple actions into a single request, which significantly reduces the number of round-trips the client needs to make to the server, improving performance as a result.[13] SMB1 also has a compounding mechanism—known as AndX—to compound multiple actions, but Microsoft clients rarely use AndX. It also introduces the notion of "durable file handles": these allow a connection to an SMB server to survive brief network outages, as are typical in a wireless network, without having to incur the overhead of re-negotiating a new session.
SMB2 includes support for symbolic links. Other improvements include caching of file properties, improved message signing with HMAC SHA-256 hashing algorithm and better scalability by increasing the number of users, shares and open files per server among others.[13] The SMB1 protocol uses 16-bit data sizes, which amongst other things, limits the maximum block size to 64K. SMB2 uses 32- or 64-bit wide storage fields, and 128 bits in the case of file-handles, thereby removing previous constraints on block sizes, which improves performance with large file transfers over fast networks.[13]
Windows Vista/Server 2008 and later operating systems use SMB2 when communicating with other machines also capable of using SMB2. SMB1 continues in use for connections with older versions of Windows, as well various vendors' NAS solutions. Samba 3.5 also includes experimental support for SMB2.[31] Samba 3.6 fully supports SMB2, except the modification of user quotas using the Windows quota management tools.[32]
When SMB2 was introduced it brought a number of benefits over SMB1 for third party implementers of SMB protocols. SMB1, originally designed by IBM, was reverse engineered, and later became part of a wide variety of non-Windows operating systems such as Xenix, OS/2 and VMS (Pathworks). X/Open standardized it partially; Microsoft had submitted Internet-Drafts describing SMB2 to the IETF, partly in response to formal IETF standardization of version 4 of the Network File System in December 2000 as IETF RFC 3010;[33] however, those SMB-related Internet-Drafts expired without achieving any IETF standards-track approval or any other IETF endorsement. (See http://ubiqx.org/cifs/Intro.html for historical detail.) SMB2 is also a relatively clean break with the past. Microsoft's SMB1 code has to work with a large variety of SMB clients and servers. SMB1 features many versions of information for commands (selecting what structure to return for a particular request) because features such as Unicode support were retro-fitted at a later date. SMB2 involves significantly reduced compatibility-testing for implementers of the protocol. SMB2 code has considerably less complexity since far less variability exists (for example, non-Unicode code paths become redundant as SMB2 requires Unicode support).
Apple migrated to SMB2 (from their own Apple Filing Protocol, now legacy) starting with OS X 10.9 "Mavericks".[34] This transition was fraught with compatibility problems though.[35][36] Non-default support for SMB2 appeared in fact in OS X 10.7, when Apple abandoned Samba in favor of its own SMB implementation called SMBX.[34] Apple switched to its own SMBX implementation after Samba adopted GPLv3.[37][38] MacOS also has supported the IETF Network File System (NFS) for many years (and continues to do so as of 2021).
The Linux kernel's CIFS client file system has SMB2 support since version 3.7.[39]
SMB 3.0[edit]
SMB 3.0 (previously named SMB 2.2)[41] was introduced with Windows 8[41] and Windows Server 2012.[41] It brought several significant changes that are intended to add functionality and improve SMB2 performance,[42] notably in virtualized data centers:
Specifications[edit]
The specifications for the SMB are proprietary and were initially closed, thereby forcing other vendors and projects to reverse-engineer the protocol to interoperate with it. The SMB 1.0 protocol was eventually published some time after it was reverse engineered, whereas the SMB 2.0 protocol was made available from Microsoft's Open Specifications Developer Center from the outset.[55]
Security[edit]
Over the years, there have been many security vulnerabilities in Microsoft's implementation of the protocol or components on which it directly relies.[63][64] Other vendors' security vulnerabilities lie primarily in a lack of support for newer authentication protocols like NTLMv2 and Kerberos in favor of protocols like NTLMv1, LanMan, or plaintext passwords. Real-time attack tracking[65] shows that SMB is one of the primary attack vectors for intrusion attempts,[66] for example the 2014 Sony Pictures attack,[67] and the WannaCry ransomware attack of 2017.[68] In 2020, two SMB high-severity vulnerabilities were disclosed and dubbed as SMBGhost (CVE-2020-0796) and SMBleed (CVE-2020-1206), which when chained together can provide RCE (Remote Code Execution) privilege to the attacker.[69]