Your IP: Unknown · Your Status: Protected
Blog In Depth

What is the SMB protocol?

Even if you haven’t heard of the SMB protocol, millions of people use it every day. However, it has a vulnerability revealed in a massive cyberattack that affected hundreds of thousands of people. What’s worse is that simply no longer using it is not a valid solution. Fortunately, there’s a way to use the this protocol safely. But first — what is SMB?

Anna Rasmussen

Anna Rasmussen

Aug 12, 2020 · 4 min read

What is the SMB protocol?

The Server Message Block (SMB) is a network protocol that enables users to communicate with remote computers and servers — to use their resources or share, open, and edit files. It’s also referred to as the server/client protocol, as the server has a resource that it can share with the client.

Like any network file sharing protocol, SMB needs network ports to communicate with other systems. Originally, it used port 139 that allowed computers to communicate on the same network. But since Windows 2000, SMB uses port 445 and the TCP network protocol to “talk” to other computers over the internet.


How do we use the SMB protocol?

The SMB protocol creates a connection between the server and the client by sending multiple request-response messages back and forth.

Imagine your team is working on a large project that involves a lot of back and forth. You might want to be able to share and edit files that are stored in one place. The SMB protocol will allow your team members to use these shared files as if they were on their own hard drives. Even if one of them is on a business trip half a world away, they can still access and use the data.

Let’s say that the printer in your office is connected to the receptionists’ PC. If you want to print a document, your computer (the client) sends the receptionists’ computer (the server) a request to print it and uses the SMB protocol to do it. The server will then send back a response, stating that the file is queued, printed, or that the printer ran out of magenta and is unable to perform the task.

What is SMB authentication?

Like any other connection, the SMB protocol needs security measures to make communication safe. At the user level, SMB authentication requires a username and password to allow access to the server. It is controlled by the system administrator, who can add or block users and keep tabs on who is allowed in.

At a share-level, users have to enter a one-time password to access the shared file or server, but no identity authentication is required.

Different variants of the SMB protocol

In 1996, Microsoft tried to rename SMB to CIFS (Common Internet File System). It was an updated version of the same protocol and had more functions, but the name didn’t stick. Because of this, many still think it’s the same thing. CIFS is now only one of many dialects (variants) of SMB.

Here’re all the variants of the SMB protocol:

  • SMBv1 was released in 1984 by IBM for file sharing in DOS. Microsoft modified and updated it in 1990.
  • CIFS was released in 1996 with more features and support for larger file sizes. It came together with the new Windows 95.
  • SMBv2 debuted in Windows Vista in 2006. It featured a notable boost in performance because of increased efficiency — fewer commands and subcommands meant better speeds.
  • SMBv2.1 came with Windows 7, bringing improved performance.
  • SMBv3 was introduced with Windows 8 with many updates. Most notable of which is enhanced security — the protocol started supporting end-to-end encryption.
  • SMBv3.02 came together with Windows 8.1. It offered the ability to increase security and performance by completely disabling SMBv1.
  • SMBv3.1.1 was released in 2015 with Windows 10. It added more security elements to the protocol, like AES-128 encryption, protection from man-in-the-middle attacks, and session verification.

It’s important to know which version of the SMB protocol your device uses, especially if you own a business and have a lot of Windows machines connected to each other. It would be hard to find a PC running Windows 95 or XP (and using SMBv1) in a modern-day office, but they might still be running on old servers. Why is that important?

The WannaCry ransomware attack

In 2017, the US National Security Agency (NSA) found a vulnerability in the SMBv1 protocol. It allowed an attacker to execute their code without the user noticing anything. When one device got infected, the hacker could gain access to the whole network and every device connected to it.

This exploit was called EternalBlue. A hacker group called the Shadow Brokers allegedly stole it from the NSA and leaked it online in 2017. Microsoft released an update to patch the vulnerability, but only a month after that, the WannaCry ransomware broke out. This massive attack affected almost 200,000 Windows devices across 150 countries. It encrypted all data on the victim’s computer and demanded a ransom in Bitcoin. WannaCry cost the UK's National Health Service about 120 million dollars in ransom money, not to mention the chaos that thousands of encrypted and unusable computers created.

Should I disable the SMB protocol?

Unfortunately, there are still more than a million Windows machines running the unpatched version of the SMBv1 protocol. Most of them are likely connected to a network, which makes other devices on the same network vulnerable, regardless of which SMB version they are using.

If you’re running a Windows computer or server that still uses SMBv1, you should immediately install the update or, better yet, upgrade to a newer version of the protocol. Is SMB secure and completely safe to use? For now, it seems so. But new vulnerabilities might pop up any day. Users who want to lower the risk can go one step further and encrypt their SMB connections.

But if you’re not using any applications that require SMB, it’s best to disable it altogether and protect your device from possible attacks. SMB is not enabled by default in Windows 10 from October 2017, so you only need to take action if you use an older Windows version.

Taking additional steps is time-consuming, and constant updates can be annoying, but you should always install them as soon as they’re available. Never assume the vulnerabilities won’t affect you. Anyone can become a target, so it’s best to protect your devices and data before anything happens.