N
Ned Pyle
Heya folks, Ned here again. Starting with Windows Server Insider Preview Build 25997, the SMB over QUIC server feature is now available in Datacenter and Standard editions. This changes the previous behavior, where it was only available in Windows Server Azure Edition.
SMB over QUIC
SMB over QUIC introduced an alternative to TCP and RDMA, supplying secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory certificate-based encryption instead of relying on passwords.
SMB over QUIC offers an "SMB VPN" for telecommuters, mobile device users, and on highest security internal networks. The server certificate creates a TLS 1.3-encrypted tunnel over a UDP port instead of the legacy TCP/445. No SMB traffic - including authentication and authorization - is exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn't change and capabilities like multichannel and compression continue to work.
A file server administrator must opt in to enabling SMB over QUIC, it isn't on by default and a client can't force a file server to enable SMB over QUIC. We recently added an additional option called Client Access Control that lets you further secure the file server through an allow-list for clients.
What changed
In Windows Server 2022, the SMB over QUIC server is limited to Azure Edition machines. Now in Windows Server Insider Preview servers, you can configure SMB over QUIC on all editions, including Datacenter and Standard. There are no additional requirements, it is now just available everywhere. Azure Edition is designed to be a cutting-edge platform for new features and organizations who want state-of-the-art-technology, but it is not a final destination for all of them. Windows 11, Windows Server 2022, Windows Insider clients, and third parties can connect to the server like usual.
Because Windows Admin Center still checks that you're on Azure Edition for now, you'll need to use PowerShell to configure the feature. Follow the configuration steps at SMB over QUIC to get your certificate, but skip the WAC steps and use the New-SmbServerCertificateMapping command to setup the server for now:
New-SmbServerCertificateMapping -Name server FQDN -ThumbPrint certificate thumbprint -Storename My
powershell output
You can also now specify the SMB over QUIC listening ports, as mentioned in the SMB alternative ports blog post recently. The default is UDP/443 but you can now change it using:
Set-SmbServerAlternativePort -TransportType QUIC -Port <a number between 0 and 65536> -EnableInstances Default
You can then connect to it using that port from a recent Windows 11 Insider client using NET USE /QUICPORT or New-SmbMapping -QuicPort:
net use command
Final Notes
As mentioned in the SMB alternative ports blog post recently, you will also be able to configure SMB over QUIC to listen on a UDP port other than the default 443. Look for this option in a coming Windows Server Insiders release.
This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:
For more information on securing SMB on Windows in-market, check out:
Until next time,
Ned Pyle
Continue reading...
SMB over QUIC
SMB over QUIC introduced an alternative to TCP and RDMA, supplying secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory certificate-based encryption instead of relying on passwords.
SMB over QUIC offers an "SMB VPN" for telecommuters, mobile device users, and on highest security internal networks. The server certificate creates a TLS 1.3-encrypted tunnel over a UDP port instead of the legacy TCP/445. No SMB traffic - including authentication and authorization - is exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn't change and capabilities like multichannel and compression continue to work.
A file server administrator must opt in to enabling SMB over QUIC, it isn't on by default and a client can't force a file server to enable SMB over QUIC. We recently added an additional option called Client Access Control that lets you further secure the file server through an allow-list for clients.
What changed
In Windows Server 2022, the SMB over QUIC server is limited to Azure Edition machines. Now in Windows Server Insider Preview servers, you can configure SMB over QUIC on all editions, including Datacenter and Standard. There are no additional requirements, it is now just available everywhere. Azure Edition is designed to be a cutting-edge platform for new features and organizations who want state-of-the-art-technology, but it is not a final destination for all of them. Windows 11, Windows Server 2022, Windows Insider clients, and third parties can connect to the server like usual.
Because Windows Admin Center still checks that you're on Azure Edition for now, you'll need to use PowerShell to configure the feature. Follow the configuration steps at SMB over QUIC to get your certificate, but skip the WAC steps and use the New-SmbServerCertificateMapping command to setup the server for now:
New-SmbServerCertificateMapping -Name server FQDN -ThumbPrint certificate thumbprint -Storename My
powershell outputYou can also now specify the SMB over QUIC listening ports, as mentioned in the SMB alternative ports blog post recently. The default is UDP/443 but you can now change it using:
Set-SmbServerAlternativePort -TransportType QUIC -Port <a number between 0 and 65536> -EnableInstances Default
You can then connect to it using that port from a recent Windows 11 Insider client using NET USE /QUICPORT or New-SmbMapping -QuicPort:
net use commandFinal Notes
As mentioned in the SMB alternative ports blog post recently, you will also be able to configure SMB over QUIC to listen on a UDP port other than the default 443. Look for this option in a coming Windows Server Insiders release.
This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:
- SMB alternative ports (November 2023)
- SMB Firewall changes in Windows insider (November 2023)
- SMB client encryption mandate now supported in Windows Insider (October 2023)
- SMB over QUIC client access control now supported in Windows Insider (October 2023, updated Nov 2023)
- SMB NTLM blocking (September 2023, updated Nov 2023)
- SMB dialect management (September 2023)
- SMB signing required by default in Windows Insider (June 2023)
- The beginning of the end of Remote Mailslots (March 2023)
- SMB insecure guest auth now off by default in Windows Insider Pro editions (January 2023)
- SMB authentication rate limiter now on by default in Windows Insider (September 2022)
- SMB1 now disabled by default for Windows 11 Home Insiders builds (April 2022)
For more information on securing SMB on Windows in-market, check out:
- SMB security enhancements | Microsoft Learn
- Secure SMB Traffic in Windows Server | Microsoft Learn
- Protect SMB traffic from interception | Microsoft Learn
Until next time,
Ned Pyle
Continue reading...